Guru 's advice needed ........[Security: SQL injection]

Mailing List

Home

MySQL General - General MySQL discussion

MaxDB - Everything about MaxDB, formerly known as SAP DB

MySQL on Win32 - Runing MySQL on Windows 9x/Me/NT/2000/XP

Java Help - Mostly related to the MySQL Connector/J driver

ODBC - ODBC with the MySQL Connector/ODBC driver

Perl - Perl support for MySQL with DBI and DBD::mysql

MySQL++ - Programming with the C++ API to MySQL

Subjects

•	mysql openssl Question
•	mysql:it 's a db not a dbms how it 's possible?!
•	Does the binary log enabling affect the MySQL performances?
•	Strange behavior, Table Level Permission
•	FULLTEXT query format question
•	Preventing Duplicate Entries
•	Comparing and writing out BLOBS
•	Executing MySQL Commands From Within C Program
•	Can 't access mysql after kernel upgrade
•	Mysql 4 0 Oracle Stored Procedure Trigger Conversion
•	Downgrade Mysql from 4 to 3 23
•	MySQL Cluster Software
•	mysql test 4 1 fails with the gis test
•	ERROR 2002: Can 't connect to local MySQL server through socket
•	Getting Identity after INSERT
•	Update one field with more fields from another table
•	ERROR 1045: Access denied for user: 'root@localhost ' (Using password: NO)
•	mysql have same function mthod as Oracle decode()

Guru 's advice needed ........[Security: SQL injection]

Guru 's advice needed ........[Security: SQL injection]

2004-03-19 - By Matt Chatterley

Back
This reply has two purposes.

Firstly, a small suggestion (modest compared to the others which will
follow, no doubt!) - check out mysql_escape_string() - this may be useful to
you.

Secondly, a further question:

In addition to protecting against SQL Injection, has anyone here
experimented with detecting and recording attempts at injection?

I 've been pondering checking strings which come directly from user input for
sql keywords (and possibly using regexps to check for potential SQL Syntax
fragments), but before I begin, I thought asking would benefit me, if
someone with more experience has already tried this...

Thanks,

Matt

-- --Original Message-- --
From: Tariq Murtaza [mailto:tariq@(protected)]
Sent: 19 March 2004 18:41
To: php-general@(protected); mysql@(protected)
Subject: Guru 's advice needed ........[Security: SQL injection]

*Dear Friends!*

Can someone shed some light on how "SQL injection " attack occurs when
*magic_quotes_gpc *is "ON " and how it prevents when its "OFF ". To my
understanding apostrophise are escaped automatically in POST/GET/COOKIE
when its ON, so how it tends towards SQL Injection.

Someone suggested to keep magic_quotes_qpc OFF through .htaccess file
and use following line of codes to prevent attacks at start of the file...

<?php
/**
* Checks for magic_quotes_gpc = On and strips them from incoming
* requests if necessary
*/
if (get_magic_quotes_gpc()) {
$_GET = array_map( 'stripslashes ', $_GET);
$_POST = array_map( 'stripslashes ', $_POST);
$_COOKIE = array_map( 'stripslashes ', $_COOKIE);
}
? >

But unfortunately it does not work for nested POST requests. do anyone
have better idea?
Secondly why we have to stripslashes while DB (mysql for example) is
doing it for us on execution and another question arises doesn 't it
prevent from SQL injection attack when apostrophise are escaped in query.

*What is the best practices handling 'quotation marks ' in input string
and how to prevent SQL injection.

*Looking forward for some advice from panel of experts on forum.
Thanks and have a nice day!*

*Cheers!
*Tariq*

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=mysql @(protected)