PHP & Mysql injection in phplist - Webmaster Forum - Web Design, Programming and SEO forums

11-07-2006, 06:06 PM

ktsirig

Status: Junior Member
Join date: Oct 2005
Location:
Expertise:
Software:

Posts: 46

iTrader: 0 / 0%

ktsirig is on a distinguished road

PHP & Mysql injection in phplist

Hello all,
I want to secure a page which uses the script of "phplist". Basically this script stores username, name, surname, email etc of users in order for the company to send newsletters to their clients.
Except from stripping slashes,backslashes etc or special characters, are there any other ways to prevent the data stored in the db from somenone that wants to "lay their hands" on them?

Thank you!

11-07-2006, 06:39 PM

Bas

Status: I love this place
Join date: Jan 2005
Location: The Netherlands
Expertise: Frontend, vBulletin
Software: Coda, Photoshop

Posts: 607

iTrader: -1 / 0%

Bas is on a distinguished road

You have to add slashes, convert special characters, and possibly do a regular expression check. Example: for username you can use a-z only.

11-11-2006, 01:43 AM

smallbadad

Status: I'm new around here
Join date: Jul 2005
Location: wales
Expertise:
Software:

Posts: 17

iTrader: 0 / 0%

smallbadad is on a distinguished road

Ok basicly if posible to not to use get method in a form as it is a lot easier to try and sql inject, if you have vars with username and password of database try and unset once un-needed as people may attemp to stop a page then call for that var. other than that basicly just strip slashes and html really.. unless its a massive list no one will really try and attack it.

11-16-2006, 09:13 PM

stropple

Status: I'm new around here
Join date: Oct 2006
Location:
Expertise:
Software:

Posts: 13

iTrader: 0 / 0%

stropple is on a distinguished road

fixing slashes does a great job in preventing sql injections, but if you are really paranoid, check for things, just before you query, like where the syntax of the sql query is wrong compared to how you want it - is there too many ";" for example, is the "AND" phrase used too often compared to the one you used?, is there too many "=" signs in the sql? Try thinking along them lines if you really want to have fort know style security

11-16-2006, 09:46 PM

Cooleo

Status: Member
Join date: Sep 2005
Location: Stoke, UK
Expertise:
Software:

Posts: 151

iTrader: 0 / 0%

Cooleo is on a distinguished road

Adding slashes covers SQL injection.
For those of you who don't know what SQL injection is:

Say you have a query (i see so many unprotected queries like this on tutorial sites):

PHP Code:


			
$q=mysql_fetch_assoc(mysql_query("SELECT *, COUNT(*) as found FROM users WHERE username='$_POST[password]' AND password='$_POST[password]' LIMIT 1"));

if ($q['found'])

{

echo "User found, thanks for logging in $q[username]";

}

Now, lets say i enter:
admin
In the username text input box.

Then i enter:
' OR 1='1
in the password input text box.

Now lets look at the query:

SELECT *, COUNT(*) as found FROM users WHERE username='admin' AND password='' OR 1='1' LIMIT 1

That will find a row since 1=1, thats a basic logic query. Now we are logged in since a row is found and the username is now admin.

11-24-2006, 05:06 PM

fernand

Status: I'm new around here
Join date: Nov 2006
Location:
Expertise:
Software:

Posts: 18

iTrader: 0 / 0%

fernand is on a distinguished road

it depends. if magic_quotes_gpc is turned on. the single quote will be converted to \' before being inserted into the query.

however, currently magic_quotes_gpc is turned back to off. sql injection is developer's responsibilty, not php. if one wants to sanitize the GPC, he can use input filter from pecl.