SQL Injection can only be used in input fields right? like the input fields to log into a website or an email form? The reason that i am asking is because i am using a database to store news articles on then i am calling the articles to my news page with php, and i want to make sure if that is safe to do or is their something i have to do to make it safe?

The actual incjection code can from the URL ($_GET) and posted ($_POST), take a look at

http://www.webmaster-talk.com/php-fo...injection.html

Quote:

SQL Injection can only be used in input fields right?

No.
Sql injection can be used anyplace where you send a parameter taken directly from a POST or a GET request.

Imagine a pagination system, where you choose the page to display with

PHP Code:

$page=$_GET['page'];
$offset=$page;
$sql="select * from tableX order by ids limit 20 offest 20*$offset";
//... 


If someone use a url like
http://something.com/showList.php?page=2;drop table users;
then the query sent to the db will be

Code:

select * from tableX order by ids limit 20 offest 20*2; drop table users;

which are 2 query, in fact. And if you had a table "users", you can kiss it goodby.

Sql injection is something to check on every pages, because potentially every pages can be subject to this.

The code below is what i am using to add the articles from the database into the news page that i made from html, now how is a person going to use SQL Injection to mess it up? and what do i have to do to the below code to stop them from doing it? Because i do not understand how they are going to use a GET or POST out of this code, i am totally lost.

Code:

<?php
# Connects to the mysql database
mysql_connect(localhost,username,pasword) or die (mysql_error());
mysql_select_db("news") or die (mysql_error());
		
# Echo's out all the information from the news table
$query = "SELECT * FROM news"; 
$result = mysql_query($query) or die(mysql_error());

while($row = mysql_fetch_array($result))
{
echo "<b>" . $row['date'] . "</b>";
echo "<br/><br/>";
echo "<b>" . $row['article'] . "</b>";
echo "<br/><br/>";
echo "<b>" . $row['myname'] . "</b>";
echo "<hr/>";
}
?>

Before anyone says anything i know this code is not that good but i am new to php and i need to practice with something.

I have nothing to say about this code, don't be too hard on yourself.
Everyone had to learn at some point, and it's the experience that makes the difference in the end.

Beside, this code is not subject to sql injection in this form, because you don't use something that comes from $_POST, $_GET or $_REQUEST to create your sql query.
That's the key of the sql injection: you use outside values to build your query.
If you don't use those outside values, then you have no risks.

Well at least that is one less thing i have to worry about thanks tripy and rogem002.

Quote:

Originally Posted by tripy

Beside, this code is not subject to sql injection in this form, because you don't use something that comes from $_POST, $_GET or $_REQUEST to create your sql query.

Tripy, If I correctlty understand what I think you said you have managed to help me understand in one sentence what reading pages of articles has failed to do.

A $_POST, $_GET or $_REQUEST must be involved for there to be any possibility of a sql injection attack?

A followup. Do those three items have to involve an existing database query (onr that exists within the script) in order to be exploited? Or can something nasty be contructed from any $_POST, $_GET or $_REQUEST ?

I just want to make sure I finally have the beginning of an understanding here.

Quote:

A $_POST, $_GET or $_REQUEST must be involved for there to be any possibility of a sql injection attack?

Yes. To inject something, the attacker has to fetch you datas from the outside.
Except if you implemented somthing like "index.php?killIt=1" which do a "drop database", but then, it's your fault.

Quote:

Do those three items have to involve an existing database query (onr that exists within the script) in order to be exploited? Or can something nasty be contructed from any $_POST, $_GET or $_REQUEST ?

Not necessrily.
If you use eval(), and the attacker could manage to get code you fetched from those array, then it could be damaging.
And in that case, we speak of XSS, or cross site scripting.

Quote:

I just want to make sure I finally have the beginning of an understanding here.

It looks like it's the case :-)

Are their any good articles around that talks about ways to prevent SQL Injection, i would like to read some very good articles or even books about SQL Injection security.

Quote:

Are their any good articles around that talks about ways to prevent SQL Injection, i would like to read some very good articles or even books about SQL Injection security.

I honestly cannot say.
But preventing it is very simple:

PHP Code:

<?php
$_GET=array('page'=>'2;drop table users;');
$pageNasty=$_GET['page'];
$query="select * from listing limit 5 offset $pageNasty";
print 'nasty query:';
var_dump($query); 
//outputs nasty query:string(59) "select * from listing limit 5 offset 2;drop table users"

$pageClean=(int) $_GET['page'];
$query="select * from listing limit 5 offset $pageClean";
print 'checked query:';
var_dump($query);  
//outputs checked query:string(38) "select * from listing limit 5 offset 2"

The trick is that php5 allows you to force the type of a variable.
Here, giving

PHP Code:

$page=(int) $_GET['page']; 


force php to only consider what looks like an integer at the beginning of the variable.
A simple way to defeat injection though, is to write a simple function like that one:

PHP Code:

function cleanParam($par){
  $ret=False;
  $reserverWords=array(
    'select',
    'delete',
    'update',
    'alter',
    'drop',
    'truncate'
  );
  $par=trim(addslashes($par));
  
  foreach($reserverWords as $word){
    if(stripos($par,$word,0)!==FALSE){
      /*
      we have found a reserved keyword into the parameter.
      We return FALSE as the parameter value
      */
      return FALSE;
    }
  }
  //No prohibited keyword has been found, we return the parameter value
  return $par;
} 


Then, you'll just have to send your params through this function to have them clean.

PHP Code:

$_GET=array('page'=>'2;drop table users;');
$pageFunc=cleanParam($_GET['page']);
//if the param value is FALSE, you should initialize the variable value, or write your code to handle a variable with a boolean result rather than a integer
if($pageFunc===FALSE){$pageFunc=0;}

$query="select * from listing limit 5 offset $pageFunc";
print 'through function query:';
var_dump($query);  
//outputs through function query:string(38) "select * from listing limit 5 offset 0" 


Thanks tripy as long as i know their is a way to fight against SQL Injection, that will ease my mind a little bit when i start looking into security.

Quote:

Originally Posted by Knight13

Thanks tripy as long as i know their is a way to fight against SQL Injection, that will ease my mind a little bit when i start looking into security.

If you haven't already read this, I recommend reading this article/tutorial on PHP security once you start looking into it: http://www.phpfreaks.com/tutorial/php-security/.

Thanks tripy for all this code!
I may be in the same boat with learning php as Knight13 seems to be. I am getting the php thing, but I feel I will never be ready for my code to be "out there" in the real world with all these hackers!

I have been reading all these security articles and thinking, gosh why can't I just NOT allow words like DROP, etc. in the GET variable?

I still don't get the security issue of people directly accessing your code? eg. How codeigniter uses at the top of their validation code:
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

If those are PHP pages, they wouldn't be parsed anyway if called directly, right?

Thanks!

simple rule to avoid injection is to expect errors and handle them. Check the variable or data received before processing

Quote:

If those are PHP pages, they wouldn't be parsed anyway if called directly, right?

Of course they would...
What would prevent them to be parsed ? If they are valid PHP code, they will be run.

Quote:

How codeigniter uses at the top of their validation code:
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

I never used codeIgniter, but probably they force to pass via a predefined entry point (the controller), and this controller instantiate some variables.

This mean that if a user reach a php file without going through the controller, as those variables will not be there, this one liner will stop the PHP engine before it parse the file.

Sorry, I shouldn't have asked it that way. I meant that if it was something like a config file for connecting to the database in which there was nothing "echoed" to a page within that code. So calling it directly wouldn't show anything anyway.

One more quick question, what does $ret=False do in the code above?

function cleanParam($par){
$ret=False;

I am not seeing that variable referenced anywhere else?

Quote:

what does $ret=False do in the code above?

My bad.
I'm used to have a $ret variable that will hold the return value.
I didn't even saw that I was not using it...
It serve no purpose here, you can drop that line.

you people forget about $_SERVER alone with $_REQUEST, $_POST, $_GET

if you are storing browsers and ip of any person in databases and you take them from $_SERVER variables. Please do consider filtering it before adding to database because anyone can attack using changed browser name and header functions.