1

My question is how to be the most annoying possible to someone trying to do a sql injection, I probably did not really express right what i was trying to do and looking for in what I wrote blow.

Thanks to everyone for your help in advance. I am trying to learn MySQL. I was going to set up a database to practice with but I was on here reading and looking for examples, and kept seeing people saying they where going to get an SQL injection.

I have been reading about this for a while now, and I'm getting more confused the more I read. I have decided to go with PDO to prevent this. Even though from what I read it's the prepared statements that makes it safe, and I will still have to whitelist it.

My question is if someone can give beginners like myself a set up we can use that will be pretty effective at stopping these attacks. From what I understand it seems almost impossible to stop them, I saw someone say something about the dns is the only sure way. I would like to learn to do this the right way even though I probably don't need too much security right now.

If I'm not wrong, they can still use blind injections even if you use PDO. If so, I was thinking of adding a delay of 2-5 seconds or something like that. I don't know if that would be too much on the user end, I'm just learning, and have no real world experience.

Also the type of things I will be doing, will probably be very basic for now... mom & pop type stuff. If I build someone a site with a user name and password I don't want them to get these attacks, I just don't like it. So if it is a little slow but more secure I would like to be at least able to give them that option. My thinking is to be really annoying to them and hopefully not be worth it.

From what I read also the length of the table names or user names can make it harder for them, say using phrases instead of just 6-8 letters.

Also I think least privilege will help as well, but there seems there is always a way around everything, and if you're new and don't know exactly what your doing, you're going to be vulnerable.

I have copied code from somewhere that I was going to adapt for my needs, but I really have not tried to put together what I'm looking for yet, still in the reading and learning phase. 

<?php


require_once "dBug!.php";

$dsn = "mysql:host=";
$user_name = "";
$pass_word = "";

$connect = new PDO($dsn, $user_name, $pass_word);

$sql = "SELECT * FROM books WHERE id <= 10";   

$result = $connect->prepare($sql);

$status = $result->execute();


if (($status) && ($result->rowCount() > 0))
{
$results = array();


while ($row = $result->fetch(PDO::FETCH_ASSOC))
{
    $results[] = $row;
}


new dBug($results);

}

$connect = null;


?>
Phil Famme
  • 119
  • 7
  • 2
    Please break your massive wall of text into sensible paragraphs. That is super hard to read. – user229044 Sep 16 '13 at 02:08
  • I don't know PHP or PDO very well, but SQL injection will not be a problem for the example you have here. SQL Injection generally happens when you are parsing something into SQL that you don't know (a variable). In your example you always know the query being run `SELECT * FROM books WHERE id <= 10`. Check out http://www.troyhunt.com/2013/07/everything-you-wanted-to-know-about-sql.html for an intro to SQLi – Greg Sep 16 '13 at 02:10
  • You may like to view my webinar (free, but requires registration): [SQL Injection Myths and Fallacies](http://www.percona.com/webinars/2012-07-25-sql-injection-myths-and-fallacies). Also another webinar by my colleague: [MySQL Security: Armoring Your Dolphin](http://www.percona.com/resources/mysql-webinars/mysql-security-armoring-your-dolphin). – Bill Karwin Sep 16 '13 at 02:41
  • @Bill Karwin thank you for the edit, but marked as duplicate. – Phil Famme Sep 16 '13 at 02:44
  • I will check it out, thank you i read a lot of your answers on here. – Phil Famme Sep 16 '13 at 02:45
  • Parameterized query http://www.codeproject.com/Articles/11020/SQL-injection-attacks – Suraj Singh Sep 16 '13 at 05:40

1 Answers1

0

The best way to stop SQL injection attacks is with stored procedures. For this to work the stored procedures need to be written so user input is not being submitted as SQL code, but rather values for variables in the SQL statement that already exists on the server.

AnotherDeveloperNamedGreg
  • 577
  • 1
  • 8
  • 12
  • @John Conde, jprofitt, meagar, Mike W, Shivan Raptor I have not seen any questions on here with what i asked for in one answer. Time delay, least privilege, very long passwords, pdo, whitelisting. And most of the questions the answers where all over the place. – Phil Famme Sep 16 '13 at 02:20
  • What good are you doing marking as duplicate, you guys act like there is way to much info on this subject out there. – Phil Famme Sep 16 '13 at 02:24