GoFuckYourself.com - Adult Webmaster Forum - View Single Post - SQL Injection, what do you guys do, any experts avil?

StuartD · 10-20-2008, 04:38 AM

Strangely enough, I had just made a thread on another board about mysql injection as someone was attempting it on ATKCash.com over the week-end. Their attempt failed.
This won't help you sort out your data, but perhaps it'll help in preventing it from happening again.

What is MySQL Injection?
MySQL injection happens when a user enters values into a form that look like a MySQL query. I'll use examples that someone has just tried on ATKCash.com's "forgot password" form.
This hacker entered this into the box as his email address:
admin";+UPDATE+affiliates+SET+password+=+'123'+WHE RE+username+="admin

What this does is make the over all MySQL in my code look something like this:
WHERE username = 'admin";+UPDATE+affiliates+SET+password+=+'123'+WH ERE+username+="admin'

This hacker is hoping that his code would alter my query to set the password for user 'admin' to 123 and presto, he'd have access as an admin.

Not overly complicated, but in many cases, it does work.

How to prevent this
I don't expect you all to be coders, but even so, this is something that you CAN ask your programmer about, or check into scripts you buy/use. This is important as it's an easy in to your servers/scripts.

If you are a programmer, or have a programmer that is open to suggestions... or you have some other way of having these things done, here's what to consider.

1. Always have MySQL errors sent to you by email. 99% of these attempts will result in errors until they find the one that works. You won't even know that this is happening unless you're made aware of MySQL errors.
For me, I have the full query, the mysql error, the location/script name that it happened on and the IP address of the person who attempted it sent to my email address when it happens.

2. Have your MySQL errors display to the screen a very BASIC output. "Database error has occurred". Do NOT give them any more information than that, they may try to use it against you. What you should also include is their IP address. There's a real good chance they don't have a static IP, or are using a proxy... however, showing them their own home # sometimes puts them off from drawing even more attention to themselves by running errors over and over again.

3. If you can, or coder can... have certain characters and keywords NOT be allowed in any form input. UPDATE, INSERT, WHERE, ALTER, USERNAME.... many of these can be set as "reserved" words, or simply not allowed, and you can have people enter something else. It's a little tougher to do if you allow big textareas of text to be entered but for the security, it may be worth annoying a user or two.

4. Don't use standard names when possible. Use "user_username" or something, so you still know what it is, but that query alteration of "username = 'admin'" obviously wouldn't work since that field name doesn't exist. Also, never have any users named "admin", or "test" or anything else that's obvious.

5. mysql_real_escape_string is your friend. It will replace quotes and other special characters with SAFE characters that will be entered into the database, not used by the database. However, this is not a guarantee... there are ways around it. Use this method but also use all the other methods to ensure maximum safety.

6. Always have (int) preceding your ID's or other numeric fields. mysql_read_escape_string will not have much bearing on a numeric ID, so instead, force PHP to only use a number with (int)$_POST['id']. It will strip out all the bad stuff for you.

7. Use Google. Research. "MySQL injection" will give you a lot of results. And will give you many more examples and many more ways to prevent it.

Summary
This kind of attack pretty basic, and super easy for a wannabe hacker.... but it's still very important to consider. Don't put it off as something minor because anyone can take 5 minutes to learn this and cause you a world of headaches. Brute forcing and DDOSing a server, finding holes, implanting trojans... this stuff takes more effort. Think about it.
Prevent the easy to do stuff just as much or more as the hard to do stuff because there's WAY more people that can do the easy stuff.

I need to protect ATKCash's affiliates.... I want to help protect you too. Don't take this kind of thing for granted.

10-20-2008, 04:38 AM
StuartD Sofa King Band Join Date: Jul 2002 Location: Outside the box Posts: 29,903	Strangely enough, I had just made a thread on another board about mysql injection as someone was attempting it on ATKCash.com over the week-end. Their attempt failed. This won't help you sort out your data, but perhaps it'll help in preventing it from happening again. What is MySQL Injection? MySQL injection happens when a user enters values into a form that look like a MySQL query. I'll use examples that someone has just tried on ATKCash.com's "forgot password" form. This hacker entered this into the box as his email address: admin";+UPDATE+affiliates+SET+password+=+'123'+WHE RE+username+="admin What this does is make the over all MySQL in my code look something like this: WHERE username = 'admin";+UPDATE+affiliates+SET+password+=+'123'+WH ERE+username+="admin' This hacker is hoping that his code would alter my query to set the password for user 'admin' to 123 and presto, he'd have access as an admin. Not overly complicated, but in many cases, it does work. How to prevent this I don't expect you all to be coders, but even so, this is something that you CAN ask your programmer about, or check into scripts you buy/use. This is important as it's an easy in to your servers/scripts. If you are a programmer, or have a programmer that is open to suggestions... or you have some other way of having these things done, here's what to consider. 1. Always have MySQL errors sent to you by email. 99% of these attempts will result in errors until they find the one that works. You won't even know that this is happening unless you're made aware of MySQL errors. For me, I have the full query, the mysql error, the location/script name that it happened on and the IP address of the person who attempted it sent to my email address when it happens. 2. Have your MySQL errors display to the screen a very BASIC output. "Database error has occurred". Do NOT give them any more information than that, they may try to use it against you. What you should also include is their IP address. There's a real good chance they don't have a static IP, or are using a proxy... however, showing them their own home # sometimes puts them off from drawing even more attention to themselves by running errors over and over again. 3. If you can, or coder can... have certain characters and keywords NOT be allowed in any form input. UPDATE, INSERT, WHERE, ALTER, USERNAME.... many of these can be set as "reserved" words, or simply not allowed, and you can have people enter something else. It's a little tougher to do if you allow big textareas of text to be entered but for the security, it may be worth annoying a user or two. 4. Don't use standard names when possible. Use "user_username" or something, so you still know what it is, but that query alteration of "username = 'admin'" obviously wouldn't work since that field name doesn't exist. Also, never have any users named "admin", or "test" or anything else that's obvious. 5. mysql_real_escape_string is your friend. It will replace quotes and other special characters with SAFE characters that will be entered into the database, not used by the database. However, this is not a guarantee... there are ways around it. Use this method but also use all the other methods to ensure maximum safety. 6. Always have (int) preceding your ID's or other numeric fields. mysql_read_escape_string will not have much bearing on a numeric ID, so instead, force PHP to only use a number with (int)$_POST['id']. It will strip out all the bad stuff for you. 7. Use Google. Research. "MySQL injection" will give you a lot of results. And will give you many more examples and many more ways to prevent it. Summary This kind of attack pretty basic, and super easy for a wannabe hacker.... but it's still very important to consider. Don't put it off as something minor because anyone can take 5 minutes to learn this and cause you a world of headaches. Brute forcing and DDOSing a server, finding holes, implanting trojans... this stuff takes more effort. Think about it. Prevent the easy to do stuff just as much or more as the hard to do stuff because there's WAY more people that can do the easy stuff. I need to protect ATKCash's affiliates.... I want to help protect you too. Don't take this kind of thing for granted. __________________ This is me on facebook This is me on twitter