Sunday, June 17, 2012

Prevent your website from SQL Injection vulnerability



MySQL Injection is a type of attack where an end user may hack your database from his browser itself. Here my main attempt will sql injection prevention.

What will be your SQL statement to retrieve a username and a password when we login to your website?

In most cases this will be like

 SELECT 1 FROM user WHERE username=’ABC’ AND password=’1234’; 

Now think if a user fills data something like this:
username=  ABCD
password=  ‘ or ’1′=’1

Now check your SQL query. It has changed now.
 
SELECT 1 FROM user WHERE username=’ABCD’ AND password= ’’ OR ‘1’ = ’1’ ;

Now with this query a user with an invalid username and without a password can make an unusual entrance to your private areas.

Before 2005 almost 50% website’s admin panel were hacked with this approach.
Even in 2012 it is still active and lots of websites are hacked. This is a simple example of SQL injections. There are lots of predefined SQL injection codes readily available online. You can create your own.

Even a normal internet surfer can break down your security with such a code.

To get rid of this issue we can make our Login QUERY statement something like this.
You need to make another function which will escape all the special characters form the user data if you are using PHP then you can use mysql_real_escape_string function which adds a backslashe to the following characters: \x00, \n, \r, \, ‘, ” and \x1a.

$query = sprintf("SELECT 1 FROM users WHERE user='%s' AND 
password='%s'",mysql_real_escape_string($user),mysql_real_escape_string($password));

However this will only save you from incorrect login but what if an authorized user is doing some trick to get additional things from your website.
I will suggest making a function which works globally throughout the website.
Like this one. The following codes let you discover the ways to get rid of every possible SQL Injection attack
.



Now we need to call check_form_submission in each form submission. Please try to understand the logic behind the code. It will check for all the GET and POST variables. You can modify the code accordingly to variable types. But this is OK at all. Let me know if you have discovered something or want to share your experience with me.

Here is a list of SQL Injection Strings you can try to test:
“1 OR 1=1″ 
“1\’ OR \’1\’=\’1″
“1\’1″
“1 EXEC XP_”
“1 AND 1=1″
“1\’ AND 1=(SELECT COUNT(*) FROM tablenames); –”
“1 AND USER_NAME() = \’dbo\’”
“\\\’; DESC users; –”
“1\\\’1″
“1\’ AND non_existant_table = \’1″
“\’ OR username IS NOT NULL OR username = \’”
“1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype=\’U\’), 1, 1))) > 116″
“1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = \’U\’ –”
“1 UNI/**/ON SELECT ALL FROM WHERE”
“%31%27%20%4F%52%20%27%31%27%3D%27%31″
“1′ OR ’1′=’1″  

10 comments:

Anonymous said...

gucci bags outlet
I couldn't refrain from commenting. Well written!

Anonymous said...

Why visitors still make use of to read news papers when in this technological world the whole thing is accessible on web?


my homepage :: cash advance decisive (ijie.or.kr)

Anonymous said...

Ridiculous story there. What occurred after?
Thanks!

My blog post clash of clans hack tool

Anonymous said...

nike free Trainer 3.0 sale
I visited multiple blogs but the audio feature for audio songs present
at this website is truly wonderful.

jessy jasmine said...

Hack facebook account online, you can hack facebook account with this online tool check - http://hackersfb.org

jamie said...

They are all scammers, they will make you pay after which they will give you an excuse asking you to pay more money, they have ripped me of $2000, i promised i was going to expose them.
I figured it all out when my colleague took me to Pavel

(HACKINTECHNOLOGY@GMAIL.COM)
CELL PHONE +16692252253

He did perfect job, he hacks all accounts ranging from (Emails, Facebook, whatsapp, imo, skype, instagram, Phone cloning, DMV removal, tracking locations, background checks Kik etc. he also hacks cell phones, cell phone tapping and cloning, clears bad driving and criminal records, bank transfers, locates missing individuals e.t.c. You should contact him and please stop using contacts you see on websites to execute jobs for you, you can ask around to find a real hacker.

jasonbob said...

hermes bag
nike off white
air max 2017
supreme
off white shoes
nike react
louboutin outlet
timberlands
coach bags sale
coach outlet
xiaofang20191225

jane holly said...

My life was falling apart, I was being cheated and abused, I had to know the truth and needed proof. I contacted a private investigator that linked me with onlineghost who took care of the hack job. He hacked his iPhone,Facebook,Instagram, Whats app, twitter and email account. I got all I wanted as proof . I”m glad i had a proven truth he was cheating . Contact him for any hack job. Tell him i referred you to him, he will surely meet your hack need. Contact: onlineghosthacker247@ gmail .com

Andrea Robertson said...

He is no scam,i tested him and he delivered a good job,he helped me settle bank loans,he also helped my son upgrade his scores at high school final year which made him graduate successfully and he gave my son free scholarship into the college,all i had to do was to settle the bills for the tools on the job,i used $500 to get a job of over $50000 done all thanks to Walt,he saved me from all my troubles,sharing this is how i can show gratitude in return for all he has done for me and my family

Gmail; Brillianthackers800@gmail.com
Whatsapp number; +1(224)2140835

Elizabeth said...

I was so anxiuos to know what my husband was always doing late outside the house so i started contacting hackers and was scamed severly until i almost gave up then i contacted this one hacker and he delivered a good job showing evidences i needed from the apps on his phone like whatsapp,facebook,instagram and others and i went ahead to file my divorce papers with the evidences i got,He also went ahead to get me back some of my lost money i sent to those other fake hackers,every dollar i spent on these jobs was worth it.Contact him so he also help you.
mail: premiumhackservices@gmail.com
text or call +1 4016006790

Post a Comment

 
Design by Secure Hackers