19 {{ upvoteCount | shortNum }}
19 {{ upvoteCount | shortNum }}

Want to Hire SQL Expert to Protect Against SQL Injections

by Willmarathon
16 replies
This is the problem without the identifying code:
Quote from HostGator Support:
"I regret you are experiencing an issue. Unfortunately, coding beyond the scope of our support. SQL injection is a relatively old and well-known exploit; an experienced developer should be able to write code that avoids sql injection vulnerabilities.

Individual SQL transactions are not logged, but by examining the URLs requested by the attacker a developer experienced with the software being used should be able to obtain some idea of what the attacker was able to do in certain situations.

For example, the request below was not successful but the portion of the URL that contains '1=1' is a common attempt to login to a site vulnerable to SQL injection without a password."

I have blocked a wide number of IP addresses but the attacker is probably using multiple proxies.
#expert #hire #injections #protect #sql
  • Profile picture of the author Willmarathon
    This is what I have learned so far from eHow:
    "
    1. Use MySQL Escape String
      • The "mysql_escape_string()" function takes a string input in PHP and outputs the string with any SQL special characters commented out so that they cannot harm the database. An example of its use is as follows:
        $newString = mysql_escape_string($inputString);
      Remove Single Quotes

      • Single quotes are characters in SQL that denote the start and end of fields, and can be the first step towards a SQL injection attack. Remove them from the input string as follows:
        $newString = str_replace($inputString,"'","");
        • Vulnerability Scanner Network Vulnerability Scanning & Fixing with GFI LanGuard. Download!



      Put an Escape Character in Front of Special Characters

      • Use the "str_replace()" function to put slashes in front of special characters. When a slash is in front of a special character, SQL will treat the special character as ordinary text. For example, you could use the following code to put a slash in front of any semicolons:
        $newString = str_replace($inputString,";","\;");
      Use Mysql Real Escape String

      • The "mysql_real_escape_string()" function is similar to the "mysql_escape_string()" function, except that it is used on binary data. The usage of this function is identical to the mysql_escape_string() function, as so:
        $newString = mysql_real_escape_string($inputString);


    Signature
    Best Internet Web Success Home Businesses:Work at Home to Make Money Online,Stay Healthy & Travel the World
    Make Affiliate ClickBank Sales & Profit Online
    {{ DiscussionBoard.errors[8247348].message }}
  • Profile picture of the author wayfarer
    Read this: Why mysql_real_escape_string() isn't enough to stop SQL injection attacks! | John Roach
    Signature
    I build web things, server things. I help build the startup Veenome. | Remote Programming Jobs
    {{ DiscussionBoard.errors[8247391].message }}
  • Profile picture of the author Andrew H
    You need to be using PDO. PHP: MySQL (PDO) - Manual
    Signature
    "You shouldn't come here and set yourself up as the resident wizard of oz."
    {{ DiscussionBoard.errors[8247536].message }}
  • Profile picture of the author Paul Moss
    Use a light-weight framework like codeigniter which offers protection from this.
    {{ DiscussionBoard.errors[8247665].message }}
  • Profile picture of the author Rennell Garrett
    There is one golden rule to prevent SQL injection. Never trust users' input. Filter them like crazy. So, in PHP there are two ways to filter one is PDO (PHP data object) and then there is mysql_real_escape_string(), the choice is yours. To prevent XSS attack you might also wanna use htmlentities() and strip_tags().
    {{ DiscussionBoard.errors[8256835].message }}
  • Profile picture of the author SteveSRS
    Hi Will,

    There is nothing to 'install' nor 'get the code'. These are specific functions he mentioned you will need to put in all your coding. However as mentioned before look at PDO and change all your code where you make database queries.

    Normally you would always make a wrapper for this so you only need to make changes at one place, however I don't know your code of course

    Andrew already posted the manual for PDO, that would be your best solution.
    Signature
    {{ DiscussionBoard.errors[8306308].message }}
    • Profile picture of the author Willmarathon
      Originally Posted by SteveSRS View Post

      Hi Will,

      There is nothing to 'install' nor 'get the code'. These are specific functions he mentioned you will need to put in all your coding. However as mentioned before look at PDO and change all your code where you make database queries.

      Normally you would always make a wrapper for this so you only need to make changes at one place, however I don't know your code of course

      Andrew already posted the manual for PDO, that would be your best solution.
      The reason I wanted to hire someone is that I do not have the time to do all this
      well with knowing I can verify what I am doing is correct. I would probably need at least 10 hours just to read the manual twice. I do not have that time because I am in the middle of attempting to clone an old hard drive using TrueImage 14 to another drive that needs to be installed in the laptop before the imaging/cloning can take place. This is a new development with Acronis and I guess is to prevent users from running a cloning factory. I certainly did not plan to do that but what you need to do now is to have the source drive as an external drive on a docking station and the destination drive installed in the laptop. Hope that helps someone.

      All 3 sites need to be redesigned because the people who designed them were idiots ,i.e.
      on one site,when I pay people it never records it in payments,so I can continue to pay people but no one will know;
      second, I need to have the whole format of the 2 frontpages redesigned to reflect that there are good advertising opportunities inside and to highlight packages;
      third, on one site when I go to pay someone, it says I need to pay them $1 more than I actually owe them,so if I owe them $.12, it says I need to pay them $1.12.

      There is an administrative forum website called Aurora Forum and it is run by the designer of these idiot sites so can you understand why I wanted outside assistance.
      Signature
      Best Internet Web Success Home Businesses:Work at Home to Make Money Online,Stay Healthy & Travel the World
      Make Affiliate ClickBank Sales & Profit Online
      {{ DiscussionBoard.errors[8782417].message }}
  • Profile picture of the author Stardustpoint
    Did they inject into a forum page? To get user data.
    {{ DiscussionBoard.errors[8307865].message }}
  • Profile picture of the author Willmarathon
    Since I never had the time to get around to learning and implementing all this advice and the fact that the woman I lived with for 12 years died of liver cancer on May 2nd, when I try to login either as Admin or as user I get this response:
    Fatal error: Call to undefined function session_register() in /home1/websuces/public_html/2centspayout.us/members/login.php on line 112

    Any suggestions ? Where do I go to find a really good, reliable PHP person who I can pay to help me clean this up ? I am going look in Boston MeetUp groups for PHP.
    Signature
    Best Internet Web Success Home Businesses:Work at Home to Make Money Online,Stay Healthy & Travel the World
    Make Affiliate ClickBank Sales & Profit Online
    {{ DiscussionBoard.errors[9407138].message }}
  • Profile picture of the author ProLogic101
    Ill tell you now you will never stop sql injections. i am a sql expert and best way for you to learn is to read up.
    {{ DiscussionBoard.errors[9408952].message }}
    • Profile picture of the author KalobTaulien
      Originally Posted by Andrew H View Post

      You need to be using PDO. PHP: MySQL (PDO) - Manual
      Use PDO or MySQLi (notice the i). Plain mysql functions are deprecated. But here's a quick sample code of how to solve your SQL injection problem: (Apparently I can't post PHP script in here or [CODE] so you get regular text)
      --
      // Get the username from a POST login script. Escape it.
      $username = mysqli_real_escape_string($con, $_POST['username']);
      // The above will turn "That's a great idea" into "That\'s a great idea" so SQL injections aren't possible (but not special characters like the tick ` as well)

      // Query the database.
      // All values need to be stored as escaped content. That means extra slashes.
      $query = mysqli_query($con, "SELECT firstname, lastname, status FROM table WHERE column2='$username' LIMIT 1") or die(mysqli_error($con));

      // Pull information from the databse
      // Lets assume one row was found
      $user = mysqli_fetch_array($query); // this creates an array for the user information
      // Now we need to unescape it

      // Below will return "That's a great idea said {insert name}"
      echo stripslashes($user['status']) . " said " . stripslashes($user['firstname']);
      --
      One more thing you can do. The username that connects to your database, remove unused controls. If you never drop tables, remove the drop control so IF someone SQL Injected your site, they cannot drop your tables.
      Signature

      Kalob from Footrr.com

      {{ DiscussionBoard.errors[9409683].message }}
  • Profile picture of the author bjadams
    there are many frameworks today that do the heavy lifting for you so you don't have to reinvent the wheel

    Codeigniter is simple and easy to learn and Zend framework is a bit more difficulty to learn but is more robust.
    {{ DiscussionBoard.errors[9409862].message }}

Trending Topics