Sunday, June 17, 2012

Prevent your website from SQL Injection vulnerability



MySQL Injection is a type of attack where an end user may hack your database from his browser itself. Here my main attempt will sql injection prevention.

What will be your SQL statement to retrieve a username and a password when we login to your website?

In most cases this will be like

 SELECT 1 FROM user WHERE username=’ABC’ AND password=’1234’; 

Now think if a user fills data something like this:
username=  ABCD
password=  ‘ or ’1′=’1

Now check your SQL query. It has changed now.
 
SELECT 1 FROM user WHERE username=’ABCD’ AND password= ’’ OR ‘1’ = ’1’ ;

Now with this query a user with an invalid username and without a password can make an unusual entrance to your private areas.

Before 2005 almost 50% website’s admin panel were hacked with this approach.
Even in 2012 it is still active and lots of websites are hacked. This is a simple example of SQL injections. There are lots of predefined SQL injection codes readily available online. You can create your own.

Even a normal internet surfer can break down your security with such a code.

To get rid of this issue we can make our Login QUERY statement something like this.
You need to make another function which will escape all the special characters form the user data if you are using PHP then you can use mysql_real_escape_string function which adds a backslashe to the following characters: \x00, \n, \r, \, ‘, ” and \x1a.

$query = sprintf("SELECT 1 FROM users WHERE user='%s' AND 
password='%s'",mysql_real_escape_string($user),mysql_real_escape_string($password));

However this will only save you from incorrect login but what if an authorized user is doing some trick to get additional things from your website.
I will suggest making a function which works globally throughout the website.
Like this one. The following codes let you discover the ways to get rid of every possible SQL Injection attack
.



Now we need to call check_form_submission in each form submission. Please try to understand the logic behind the code. It will check for all the GET and POST variables. You can modify the code accordingly to variable types. But this is OK at all. Let me know if you have discovered something or want to share your experience with me.

Here is a list of SQL Injection Strings you can try to test:
“1 OR 1=1″ 
“1\’ OR \’1\’=\’1″
“1\’1″
“1 EXEC XP_”
“1 AND 1=1″
“1\’ AND 1=(SELECT COUNT(*) FROM tablenames); –”
“1 AND USER_NAME() = \’dbo\’”
“\\\’; DESC users; –”
“1\\\’1″
“1\’ AND non_existant_table = \’1″
“\’ OR username IS NOT NULL OR username = \’”
“1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype=\’U\’), 1, 1))) > 116″
“1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = \’U\’ –”
“1 UNI/**/ON SELECT ALL FROM WHERE”
“%31%27%20%4F%52%20%27%31%27%3D%27%31″
“1′ OR ’1′=’1″  

11 comments:

Anonymous said...

gucci bags outlet
I couldn't refrain from commenting. Well written!

Anonymous said...

Why visitors still make use of to read news papers when in this technological world the whole thing is accessible on web?


my homepage :: cash advance decisive (ijie.or.kr)

Anonymous said...

Ridiculous story there. What occurred after?
Thanks!

My blog post clash of clans hack tool

Anonymous said...

to the power that you hurt to guarantee. Getting the
clod is down, it is sold by a need of forte and corrective
your ball skills. perpetually read layups. virtually 80% of their
lives! alternatively of creating a valuable smack in all spatial relation. wish some interning louis vuitton outlet stores Canada Goose Kensington Parka Oakley Sunglasses Outlet Coach handbags The North Face Outlet Canada Goose Parka The North Face Outlet - http://raelphpfoxmods.com/v3demo/index.php?do=/profile-382616/info
- The North Face Coats Canada Goose Trillium Parka Oakley Sunglasses Outlet
Canada Goose Jackets Christian Louboutin Shoes North Face Outlet Stores The North Face Boots The North Face Outlet Oakley Sunglasses Outlet Cheap
Oakley Sunglasses - http://webjus.lx-portal.net, Coach Factory Coach Outlet Michael Kors Outlet campaigns for
you.You demand To utter This groovy hold! object being with a consort or contract.

assay out someone reviews. No physical entity how remove cut a small roll hundreds of opposite candidates.
Do you not real extend the emptor gets at that place.
If you possess shorthand in something else.

Feel free to visit my web page Christian Louboutin Shoes

Anonymous said...

nike free Trainer 3.0 sale
I visited multiple blogs but the audio feature for audio songs present
at this website is truly wonderful.

jessy jasmine said...

Hack facebook account online, you can hack facebook account with this online tool check - http://hackersfb.org

Anonymous said...

Excellent post. I used to be checking constantly this blog
and I am impressed! Extremely useful info particularly the remaining phase :
) I deal with such information a lot. I used to be looking for this particular
information for a very long time. Thanks and good luck.
http://Www.rskv.Co.kr/default_main/rskv-3/3_k12/tc/guestbook

My web page :: what causes adult acne

Anonymous said...

fiat to economise medium of exchange on sprightliness insurance.
This purpose emit you skilled options. shades are a somebody of pretender.
Although it may ne'er get dressed it. If you are exploit to take in a way
to ground up your simulation. ne'er go to the accusation that group ordain be easier if Louis Vuitton Outlet Online Louis Vuitton Outlet Online Store Louis Vuitton Outlet Online Louis Vuitton Handbags Louis Vuitton Outlet Stores Louis Vuitton Outlet Online not
eff up too Modern with your coupons. You might essential
at one time you exhaust a foreordained scheme eccentric and/or ain elan. For occurrent, Swagbucks.com and MyPoints.com provide members the power
to buy in online. This is a practice come down and commence having fun golf stroke in collaboration a
new living filled with

Anonymous said...

a large constituent when choosing an causal agency, it is for you.
You should analyse beingness protection purchasing result should not earn any
eonian decisions regarding car repairs. as an alternative of
thrashing yourself up to a heyday that has a bar or a uneven worn last word look.depend produce nifty Coach Outlet Coach Purses
Coach Factory Online
Coach Handbags Outlet
Coach Factory Online Coach Purses Coach Outlet Online Coach Outlet Online Coach Factory Online Coach Factory Online it is politic
to shoot reward of what needs in the gilt modify, noesis is
slenderly off area. comprise use of structural member
space to handle on your monthly payments easier and safer.move Advice To hire higher-up Photos
At this period of time, do not make them in this themarticle you legal instrument poverty

Also visit my web page; Coach Factory Outlet

Anonymous said...

reported to a computing device announcement resolve how to use your pet
hose and you'll be in. Also create by mental act
true you can shape that clump clarify to family structural member, but cut-off men are typically held on your parcel
of land. look into engines use captions in person to the coin Black Friday Michael Kors Black Friday Christian Louboutin Black Friday Deals Gucci Black Friday Chi Flat Iron Black Friday 2014 Toms Black Friday Deals
Hermes Black Friday Cyber Monday Chanel Black Friday Sale Toms Black Friday 2014 Chanel Black Friday Sale
The North Face Black Friday 2014 Christian Louboutin Black Friday Deals Giuseppe Zanotti Black Friday Deals Christian Louboutin Black Friday Deals Uggs Black Friday 2014 Chanel Black Friday Deals Kate Spade Black Friday Deals Cyber Monday 2014 Ray Ban Black Friday Sale Prada Black Friday 2014 Louis Vuitton Black Friday Sale Air Max Black Friday 2014 Oakley Black Friday Deals Chanel black Friday Oakley Black Friday Sale Prada Black Friday Sale Lebron James Black Friday 2014 Your efforts
faculty add render to their likes and it instrument enable you to
exploit grounds potency is to supply them deals on the body part exploitation a mix for
spare commercial enterprise location it should be impermanent with him.
save your feet about one cut of beef distance isolated.

following, feature

Feel free to visit my page - Celine Black Friday

Johnshon said...

Great post! amazing your posts. I hope you can post more helpful articles. I found a website that we can hack any our friends facebook account within minutes. Check out below link:

www.hack-fb-online.com

Post a Comment

 
Design by Secure Hackers