2

Today i checked my script with acunetix and found a "Blind SQL injection" in one of my files.

Accunetix Message:

Attack details

HTTP Header input x-forwarded-for was set to 1' and sleep(2)='

How to fix this vulnerability:

Your script should filter metacharacters from user input. Check detailed information for more information about fixing this vulnerability.

I have escaped all input with mysql_real_escape_string() func, but error existing yet.

I tried to filter this header in my file with this code:

if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
    mysql_real_escape_string(addslashes(($_SERVER['HTTP_X_FORWARDED_FOR'])));

But doesn't work. please help!

Community
  • 1
  • 1
progfa
  • 291
  • 1
  • 4
  • 13
  • 3
    possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Lawrence Cherone Sep 09 '13 at 12:54

2 Answers2

6

It's better to use a PDO prepared statement to prevent SQL injection, than to try to create your own "scripts" and just escaping characters is not enough to prevent SQL injections

Have a look here for PDO prepared statement : http://php.net/manual/en/pdo.prepared-statements.php

Freelancer
  • 4,459
  • 2
  • 22
  • 28
1

Most likely your application utilizes some sort of flawed function "to determine visitor's IP address."

Taking aside the fact that using HTTP_X_FORWARDED_FOR for this purpose is wrong, most likely it explains why your awkward escaping doesn't work.

It seems that the system takes an IP address in some variable before you escape it. And then this variable goes into query, while you are escaping harmless XFF.

And here goes the real explanation, why you ought to use prepared statements: because they format the exactly proper value, right where it should be. Makes it no way to slip up with too early escaping.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345