Quote:
Originally Posted by Zyber
Using mysql_real_escape_string() is a good start but it is far from being enough. Next you should make sure that you use ' around all values in SQL, both strings and numbers. Remove words such as UNION, SELECT, DROP, LOAD, BENCHMARK # -- /* and so on.
There are so many possible ways of injection that it is close to impossible to make it really bulletproof.
You should make a read-only SQL user with only read rights (for that particular database) which you use for your SELECT statements.
Never use the root mysql user.
Then have one user with write-only rights for UPDATE. Delete-only for DELETE. etc
If you are even more paranoid you could lock certain SQL commands to certain tables to mitigate the potential damage.
Doing this approach with multiple sql-connections can be difficult on premade scripts.
I am sure there are many more things to do. But for sure you are not protected if you only rely on that PHP code.
Maybe someone else can chime in with more and better suggestions.  |
A big thanks for everyones input its a huge help
I've got a lot of sites using variations of this (very old) script, its not suported anymore and i don't have the time to find an alternative and switch to that. so i've just got to try and patch it up as best as possible. they were using something along the lines of this to hack the script:
Code:
page.php?id=-999999999+union+select+concat(login,0x3a,password),1,2,3,4,5+from+adminlogin/
so if i implement some of the recommendations above and also remove union, select, etc as well, hopefully i should be a bit safer.