Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 7 years ago.
Improve this question
I just wanted to ask a quick question about $_GET parameteres in php and the security of them. Although my get parameter is not visibily shown, it is in my url. I just wondered is there any extra steps I can take to make it even more secure?
I have a $_GET variable named page that determines what page their on, and its got a reqrite rule to check for the first word after slash
I know before you should use mysql_real_escape_string but that is now deprecated and will be removed in the future?? And updated way..
Example: http://example.com/pagehere
Would be passed as... http://example.com/index.php?page=pagehere
location / {
rewrite ^/(|/)$ /index.php?page=$1;
rewrite ^/([a-zA-Z0-9_-]+)(|/)$ /index.php?page=$1;
rewrite ^/(.*)\.htm$ /$1.php;
}
Just keep in mind that any incoming data from the user-end is not safe ever, so always take necessary steps to ensure it won't cause any problems in your system, as far as DB queries are concerned, ALWAYS use PHP PDO class to do your DB related tasks, using Prepared statements will nullify any SQL injection attacks, read more about prepared statements here - http://php.net/manual/en/pdo.prepared-statements.php
Using GET variables is not an issue if you handle it properly, when you read the data from $_GET you can use htmlspecialchars() to clean the data of any malicious code. Some useful information here - https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
More information on how to use PDO to prevent SQL injection - How can I prevent SQL injection in PHP?
What is the parameter going to be used for? You should use filter input functions. If it's going to be used to query a databse, also use prepared statements. See http://php.net/manual/en/function.filter-input.php and http://php.net/manual/en/pdo.prepared-statements.php. Basically you need to sanitize the query string otherwise you leave the door open for possible exploits (server side inclusion attacks, sql injection, etc).
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 4 years ago.
Improve this question
I've heard a lot about SQL injection and also read a lot of good answers in other topics.
So I want to make sure I'm not vulnerable.
What if I encrypt all user input (wanted to do that anyway - using openssl) before inserting it into my mysql database?
Wouldn't it be an easy and safe way for a beginner to avoid sql injection?
I would not recommend encrypting everything just sensitive data. To prevent SQL Injection it is far more effective using proper request and input validation along with proper escape sequences and save yourself the headache of your application performance being hindered with every database transaction. Most of the time when you want to prevent prying eyes you use 1 way encryption on things such as a password. But if you are saving things such as credit cards and such its wise to follow the standardized security for credit card encryption. Encryption is good but over using it can cause far more problems than it saved you from. So think about what data is important and should be encrypted and then consider if it should be 1 way encryption or 2 way. But the most importantly is validation and never trusting the user input or the application request.
Please use
JSON Web Token
Write Stored Procedures in order tot encapsulate your TSQL query
SET DEFINE OFF will stop to prevent hackers use & for injection
Try to define parameters for queries like SqlCommand()
For know more about avoiding injection please read SQL Injection Prevention
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I have to pass parameters throught my pages. For exemple ids of my database.
Is it a good idea to do so: www.example.com?id=10
Or have I to hash the parameter:
www.example.com?id=b1d5781111d84f7b3fe45a0852e59758cd7a87e5
It is really important to hash this one?
Thanks
Best regards
There is no need to hash Id's in query string. Yes it is visible to everyone but it's a common use. you should verify in your server side that this parameter cannot harm your application
How are you able to trace back the id for that specific hash? You will create a bottleneck if you need to get all your database id's and hash those to find your matching record.
Using id's in urls are commonly used, just dont put any sensitive data in your urls to protect your visitors (and yourself).
Also note that every visitor is evil. Always validate incomming data and do some proper error handling incase someone is messing around with the urls.
Ids are ok but I think the spirit of this question may be the result of a very real concern.
As others have said, you should expect evildoers to be using your site. Of particular concern with poorly design web applications, are SQL injection attacks. The ids themselves aren't an issue but if your backend is building a string of SQL, you could have issue. For example if your PHP code is taking that parameter and creating this SQL:
SQL = 'select * from product where id ='.$_GET['id']
Executing this SQL would be a major issue if someone changed their browser to call this page:
/product.php?id=1;DELETE FROM USERS;--
...you could end up with an empty database table.
Every language has its own way of protecting from this kind of thing, so make sure you are doing it the right way. For example, see this SO question How can I prevent SQL injection in PHP?
See https://www.owasp.org/index.php/SQL_Injection for more info
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I am coding a social debating application, and I am worried about the security of prepared statements. Why does it bother me so much? Because social networks take massive amounts of user data and some may be malicious.
I just want to know if MySQLi's prepared statements feature enough to protect from the most common types of SQL injection. This has probably been asked before somewhere on the web, but, with the massive amount of outdated information in the net, it is very hard to know if there's been anything found about it.
I've heard various exploits on PDO, for example, yet some sites say there's no exploits. That's where confusion comes in. I understand that many exploits are found each day. But at least to protect from the most popular exploits.
And, if there are any additional methods of protecting SQL queries, please point them out in your answer.
Prepared statements are a good way to prevent MySQL injection. But what about XSS attacks? Those queries do not prevent users from submitting HTML or JavaScript code. If you don't take additional steps, they will simply alter your HTML code (if you output raw database results) and injected links to unwanted sites.
About Prepared Statements:
Prepared statements prevent any input from leaving its scope as a variable. That said every "ending quote" or such would be escaped and made harmless.
SQL injection is nearly impossible. But ... who said, that the native prepared statement is enough? if you trust your native prepare methods. OK. If not, try to break it yourself. Write test cases to proof, that most basic and maybe some more complex cases can not break your prepare statement methods.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I am using following code lines in order to protect injections or the like for login via PHP script. Kindly let me know will it be enough to be safe from the attack or I have to add some more lines to make the code more secured.
// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
Using any mysql_* functions is not entirely secure. That family of functions is now deprecated.
You should look at using MySQLi or PDO with prepared statements for the absolute security...
In theory that should be safe enough, however there are still several problems with it.
mysql_real_escape_string is deprecated - you should not use them, but a prepared statement.
You are not hashing the password - it is not a good idea to store plain text passwords, as if the database is compromised, they will all be immediately known. PHP has a dedicated password_hash function which you can use instead.
Why are you stripping slashes? If you are expecting the input username might contain slashes, then you are missing a validation step somewhere else. In general, it is better to use whitelists than blacklists - i.e. instead of trying to strip out bad characters, have a list of good characters and only allow those. That way you can secure your username/password with something simple, like preg_replace('#[^a-bA-B0-9]#', '', $username)
If you know what you are doing, mysql_* functions are still good to use, though they have been deprecated. Just be sure you don't let in a injection vulnerability. mysql_* functions are deprectated because it is too easy to let such vulnerabilities in. Other function libraries such as mysqli_* and PDO_* allow for parameterized queries, that makes it easier to write secure code.
Be aware off course that you have absolutely no guarantee that deprecated functions will still exist in newer versions of PHP.
They lines you stated are too much. Only mysql_real_escape_string() is needed. You can remove strip_slashes().
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I don't understand, I transferred my files to new hosting and now I can get SQL injection, even if I use mysql_escape_string or addslashes. Before that, I never could get an SQL injection. What's wrong? Please help, I am going crazy.
edit: There is no SQL injection if I use ", but it gives SQL injection, if I use '. My head will explode really soon...
I thinks that mysql_real_escape_string is the function you want to use to protect your application from SQL injection....
Also make sure magic quotes are off...
It is very hard to craft code that escapes/sanitizes inputs to a point where they would be safe to submit directly to a SQL database. What you really should do to make use of Parameterized Queries in your code for all interactions with your database. This allows your database to determine what should be considered "command" and what should be considered "data" so that injected SQL into the "data" will still be seen at data.
Read more at OWASP's excellent discussion about this topic.
You may have had insecure code at the old host, and you just didn't know about it until you put the code at the new host, and people started attacking it there for whatever reason.