hi can someone tell me if this well somewhat stop ppl trying to use MSSQL Injection?
gone.
Thank you.
Printable View
hi can someone tell me if this well somewhat stop ppl trying to use MSSQL Injection?
gone.
Thank you.
hmm any one? no one can tell me if this well block SQL injections??!!??!!
The only thing you have to block are the characters ' and ". You can use addslashes(); for this. Also: be sure the user you use for MsSQL has only the permissions he needs (if that is possible, with MySQL it IS possible). So permissions like CREATE or DROP are advised to be forbidden.
The best next thing to do it set up a cron job that does nightly backups.
Btw, in your second source on top you have on the end of the array ',);'. Get rid of that ','.
Nother one:
$conn = mssql_connect("$dbhost", "$dbuser", "$dbpasswd");
Why not just:
$conn = mssql_connect($dbhost, $dbuser, $dbpasswd);
$out=$out."2C"; can be $out.="2C";
Also: read more about CSS. CSS Advanced Tutorial | HTML Dog has good tutorials on how to use CSS for positioning, instead of HTML (wrong).
Good luck
User rights management in MSSQL is a lot more advanced than in MySQL (at least when comparing MySQL 5 to MSSQL2005) so yes, be sure to set the rights for your user to a bare minimum. I once made a flash tutorial for this in the MuOnline section, dunno if it's still there, you'd have to search for it.
Note that in the rules is quite explicitly stated that we do not allow people to just dump their code and expect us to fix it - now this is somewhat of a border topic since you are only asking wether or not it is good code, not asking to fix the problems with it, but be sure to keep this in mind if you make new topics.
More ontopic, as Daevius said, addslashes ought to be secure enough. Be sure to check magic_quotes_gpc first though, so you're not adding slashes twice:
PHP Code:if (!get_magic_quotes_gpc()) {
$variable = addslashes($_POST['variable']);
} else {
$variable = $_POST['variable'];
}
Blocking ' " isnt all.
You need to block 0x as well, because I can create ' to an MSSQL database, that doesnt look like a quote to a PHP script.
Your antiinjection should add a -- and a 0x to your script.
Addslashes wont save you against a decent SQL Injector, but it will from script kiddies.
Good point, it's also mentioned in the PHP manual comments here complete with sample code :smile:
Hmm, didn't knew that, thanks :)
neither addslashes() and magic_quotes are safe :-)
A requirement for a driver specific escaping of illigal characters is the only true way. In mysql it's done with mysql_real_escape_string.
Personaly I'll recomend using prepared statements, which can be accessed via. the PDO extension. It'll do driver specific escaping.
I've seen alot of sites (special from the kal section ;-)) been hacked because they trusted magic_quotes :-)
And make sure you read the thing in bold twice, it's as important as it can get :)
PDO extension isn't available by default, makes it harder to install. Of course, same can be said about the MSSQL extension, but at least that one's compiled in by default IIRC.
What I generally use myself is a combination of htmlspechialchars and addslashes, gets you most injections. Combine that with limited rights for the SQL user and you're pretty save.
Alternatively you can use odbc_prepare and stored procedures. More work but definately save :smile:
ok, time to save this on my disk... geting sick of cant reading this cuz of the DDOS attacks... -_-'' thx.
That your site gets injected should be a good reason to poke the provider xD They are just soo lazy to deny installing such normaly :(Quote:
PDO extension isn't available by default, makes it harder to install.
Hi,
Working with applications I just replacing only one ' symbol to two '' and in this way i write in DB just one ' symbol with no any slashes and when i do database select query i receive just ' symbol without any problems (really i hate guys who use for this slashes... working a lot of years in this and saw not one system where developers rerereslashed some values in DB like \\\\' hate this!).
Just don't forget i replace symbol ' NOT TO symbol " but to two symbols ' just optically two symbols ' looks like " symbol.
Example in pseudo programming language:
someString = "All it's so easy here";
someString.Replace("'","''");
sql = "insert into sometable (somefieldname) values ('"+someString+"')";
DO QUERY --> sql
(tested on MSACCES, MSSQL, MySQL, Sqlite & etc..)
If we talking about web, then we need aditionally filter < and > symbols, best way is to replace <> to html codes: < and > then you prevent your webpage from some javascript ijection assault.
Allways keep a fun.
agira
Your idea is fine, but far far from secure ;-) You would be surprised how much fun I can make with a newline and 2 hyphens.
htmlspecialchars()
addslashes()
striptags()
mysql_real_escape_string()
magic_quotes()
I differ between them (sometimes using more than one on each variable) - should be safe enough.
I don't see no point creating an array in order to prevent a SQL injection.
Well, what I'd do:
Use addslashes() with mysql_real_escape_string() for db inputs, and htmlspecialhars() for db_outputs and the security should be o.k. .\
For example:
PHP Code:<?php
function db_output($output) {
return htmlspecialchars($output);
}
function db_input($input) {
if (function_exists('mysql_real_escape_string')) {
return mysql_real_escape_string($input);
} elseif (function_exists('mysql_escape_string')) {
return mysql_escape_string($input);
}
return addslashes($input);
}
?>