Prevent URL Injections

Question

My website was recently got Hacked/Compromised. Via google I have learnt it is a victim of site injections. I believe I have cleaned and hopefully secured my website but I'm looking for ways to prevent it from ever happening again. I came across a code (see below) and wanted to know whether it will

1) work to prevent such attacks in the future? and

2) where should I add this code as my website is built in WordPress.

Any help or even better codes anyone can provide will be greatly appreciated, I'm new to programming.

Code:

<?php
if(isset($_REQUEST["id"])){

if(!is_int($_REQUEST["id"])){

//redirect this person back to homepage

} else {

$id_raw = trim(htmlentities($_REQUEST["id"]));
$id_secure = mysql_real_escape_string($id_raw);
$sql = "SELECT * FROM databasetable WHERE id='".$id_secure."'";

}
}
?>

Answer 1

PDO is an acronym for PHP Data Objects. PDO is a lean, consistent way to access databases. This means developers can write portable code much easier. PDO is not an abstraction layer like PearDB. PDO is a more like a data access layer which uses a unified API (Application Programming Interface). You basically have two options to achieve this:

Example:

$qry = $con->prepare('SELECT * FROM student WHERE name = :name');

$qry->execute(array('name' => $name));

foreach ($qry as $get) {

// do something with $get

}

Setting up database using PDO

$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDBPDO";

A DSN is basically a string of options that tell PDO which driver to use, and the connection details... You can look up all the options here PDO MYSQL DSN.

$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username,$password);

Note: If you get an error about character sets, make sure you add the charset parameter to the DSN. Adding the charset to the DSN is very important for security reasons, most examples you'll see around leave it out. MAKE SURE TO INCLUDE THE CHARSET!

You can also set some attributes after PDO construction with the setAttribute method:

$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
 $stmt = $conn->prepare("SELECT id, firstname, lastname FROM MyGuests"); 
$stmt->execute();

// set the resulting array to associative
$result = $stmt->setFetchMode(PDO::FETCH_ASSOC);
foreach(new TableRows(new RecursiveArrayIterator($stmt->fetchAll())) as $k=>$v) { 
    echo $v;
}

The way injection type attacks work, is by somehow getting an interpreter (The database) to evaluate something, that should have been data, as if it was code. This is only possible if you mix code and data in the same medium (Eg. when you construct a query as a string).Parameterised queries work by sending the code and the data separately, so it would never be possible to find a hole in that.

Answer 2

SQL Injection is a type of vulnerability in applications that use an SQL database. The vulnerability arises when a user input is used in a SQL Statement.

$n = $_GET['user'];
$sql = "SELECT password FROM tbl_login WHERE name = '$n' ";

As you can see the value the user enters into the URL variable user will get assigned to the variable $n and then placed directly into the SQL statement. This means that is possible for the user to edit the SQL statement.

$name = "admin' OR 1=1 -- ";
$query = "SELECT password FROM tbl_login WHERE name = '$n' ";

The SQL database will then receive the SQL statement as the following:

SELECT password FROM tbl_login WHERE name = 'admin' OR 1=1 -- '

To prevent SQL injections we will have to use something called prepared statements which uses bound parameters. Prepared Statements do not combine variables with SQL strings, so it is not possible for an attacker to modify the SQL statement. Prepared Statements combine the variable with the compiled SQL statement, this means that the SQL and the variables are sent separately and the variables are just interpreted as strings, not part of the SQL statement.

Prepared Statements with mySQLi.

Using the methods in the steps below, you will not need to use any other SQL injection filtering techniques such as mysql_real_escape_string(). This is because with prepared statements it is not possible to do conventional SQL injection.

mySQLi SELECT Query.

$n = $_GET['user'];


// Prepare the statement
if ($sql = $mysqli->prepare("SELECT password FROM tbl_login WHERE name=?")) {


// Bind a variable to the parameter as a string. 
$sql->bind_param("s", $n);

// Execute the statement.
$sql->execute();

// Get the variables from the query.
$sql->bind_result($pass);

// Fetch the data.
$sql->fetch();


// Close the prepared statement.
$sql->close();
}

Answer 3

You will need to understand this:

1. Nothing is 100% secure.
2. All you can do is increase your level of security, by implementing different security measures like filtering user input before querying databases, using prepared statements.
3. Using a secure connection for server interaction by encrypting the data using SHA or MD5 or some other salt encryption.
4. Using captcha in your forms to filter out bot attacks.

As far as your above code is concerned :

1. it is just checking whether the request id is an integer or not.
2. It is filtering out the special characters and then running the query.

I would like to suggest you to check the below link :

https://www.owasp.org/index.php/PHP_Top_5

It will give you an insight of how to implement security in an application.