php sql injection attacks

yatesy87 · 7th July 2008, 10:31 AM

hi,

One of my clients uses a simple cms system for updating pages on his website.

the problem arose last week that when inserting the ' sign it would cause an injection attack. now normally i understand that by doing a simple php replace function would eliminate this problem. unfortunately the client is a professional writer and for grammer etvc etc reasons needs to show these signs in his documents.

just wondering if anybody knows a way that the ' can be placed into the database and tehn retrieved so that it shows on the website???

TygerTyger · 7th July 2008, 11:38 AM

mysql_real_escape_string($value) when adding to the database.

stripslashes($value) when retrieving from the database.

MrBen · 7th July 2008, 11:41 AM

Check out mysql_real_escape_string which can be used to escape input so it can be safely inserted into the database.

Or move to using the new mysqli library in PHP5 for connecting to MySQL. You can then use mysqli_prepare and mysqli_stmt_bind_param. You don't need to bother escaping the input then as it is handled for you.

Ben

fluxman · 7th July 2008, 10:01 PM

in case anybody doesn't know, if you don't use mysql_real_escape string, then you can hack into password protected areas using a username/password of

Code:

' or ''='

or

Code:

' or 1=1; --

and you can even insert malicious sql statement that delete tables etc.

I was bored one morning and tried to find websites I could "hack into" using the most basic mysql attacks...I found three in my local area alone.. :S good fun tho!

(not that i'm trying to promote malicious hacking, but if you're not aware of at least the above, then you shouldn't be charging for making websites with password protected sections!)

desquinn · 7th July 2008, 11:07 PM

and that would you be breaking the law

specifically the Computer Misuse Act (1994)