0

I had a client's site and I was trying to stop MySQL Injection on it. The code is so messed up(wasn't coded by me) that I cant use PDO so I tried mysql_real_escape_string() but it is also not stopping attack as according to my research it only works when MySQL DB structure is in UTF8 so I tried to stop the attack manually so I wrote this code

$input = $_REQUEST;
foreach ($input as $key=>$value){
    $input[$key] = preg_replace("/[^A-Za-z0-9\. ]/", "", $input[$key]);
    if($input[$key] =='')
    $input[$key]=1;
}

I limited only alphanumeric and few other characters for Chatting purposes but this is also not preventing the attack as I run again vulnerability scanner and it says the GET value was set to 6%c0%00xa7%c0%a2 which prompted SQLi error again. Its a HEX value that was converted to 6xa7. Is there any other best approach to stop this attack?

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
Noman Riffat
  • 187
  • 2
  • 2
  • 16
  • 1
    Use `mysqli_real_escape_string` and `mysqli`. It'll escape things correctly dependent on your encoding. – h2ooooooo May 09 '14 at 11:12
  • 2
    [Yes, of course](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Your Common Sense May 09 '14 at 11:12
  • @h2ooooooo escaping things has absolutely nothing to do with injections. It really makes me wonder you don't know it yet – Your Common Sense May 09 '14 at 11:12
  • 1
    You should look at [this question](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1). – Fluffeh May 09 '14 at 11:13
  • @YourCommonSense What injection would get through `mysqli_real_escape_string`? – h2ooooooo May 09 '14 at 11:14
  • 3
    @h2ooooooo The matter is not on "What injection would get through". The matter is, as I said above, that this function is totally irrelevant to injections at all. You may read here, if still curious: http://phpdelusions.net/sql_injection – Your Common Sense May 09 '14 at 11:15
  • @YourCommonSense Huh? How is it irrelevant to injections if it protects against them? Sure it doesn't quote strings like prepared statements do, but use it right with the right casts, and you wouldn't have a problem at all? I really fail to see what you're getting at here, and I'd love some input other than "it's wrong". **Edit**: Just saw your link - I'll read up about it. – h2ooooooo May 09 '14 at 11:18
  • @h2ooooooo It doesn't. this is no more than a delusion. You may even notice the very *name* of this function - there is not a single word like "protect", "injection" and such - think of it! I posted a link above where I tried my best with explanation – Your Common Sense May 09 '14 at 11:20
  • Will you please give me some suggestions? I even tried mysqli_real_escape_string and it was also not successful :( – Noman Riffat May 09 '14 at 11:25
  • Before trying something you have to understand it first. This is a very essential rule, yet practically unknown to average PHP user. Yet indeed very useful one. So, first try to read the links provided and understand the problem - and only then start with solution. – Your Common Sense May 09 '14 at 11:27

0 Answers0