0

I have a PHP function that check all of my php files, so none of the attacks could upload any script of something.. Although, my client's site is too old and a couple of days ago, I got a message from the server that says: MYSQL injection and the query is being tried to be used.

The system has a PHP version: 5.2.17 and there are mysql_queries that is being deprecated ... Although the update of the system is too hard to be done..

i tried to find a solution and check for these ones:

  1. mysql_real_escape_string()
  2. is_numeric()
  3. htmlspecialchars(value, ENT_QUOTES)

I do not know if any of these counts! Does any of the above works, in order to avoid the SQL Injection?

Moreover, I found this one, as a good solution:

Use: filter_input(..) of PHP

the attack was made in $_GET value, but did not touch the DB.. yet.. The query I saw was something like identifier..

Any suggestion or help would be appreciated!

Kiriakos Grhgoriadhs
  • 299
  • 2
  • 3
  • 22
  • 2
    Don't use mysql functions, its really outdated. Switch to mysqli or pdo – E3Im Oct 08 '18 at 08:53
  • 7
    '*The system has a PHP version: 4.2.17*' - This is your biggest security concern. The current major PHP version is 7 and it has most definitely patched many security issues since 4. (Other benefits such as the language has matured and has had some neat features added to it) – Script47 Oct 08 '18 at 08:54
  • filter_input is supported only from [PHP 5 onwards](https://secure.php.net/manual/en/function.filter-input.php), so you should look to upgrading your PHP and use either mysqli or pdo – kellymandem Oct 08 '18 at 09:02

1 Answers1

0

mysql_escape__real_string() is only one you need for preventing SQL Injection itself. htmlspecialchars() is to prevent XSS attack.

I guess you cant use any newer libraries or upgrade PHP. In that case id recommend you to implement your "safe" mysql_query using http://php.net/manual/en/function.override-function.php because its really easy to forget to escape a query.

Tomáš Neumaier
  • 93
  • 1
  • 10
  • Please don't suggest the OP to use obscure functions when prepared statements exists for both `mysqli_*` and PDO. – Script47 Oct 08 '18 at 11:40
  • @Script47 Well, not for PHP 4 – Tomáš Neumaier Oct 08 '18 at 11:44
  • My point being that the OP ***needs*** to upgrade, even if it is to 5.6. That should be the advice that should be given. – Script47 Oct 08 '18 at 11:53
  • Hello, thanks for your answers.. The website is since 2011.. the PHP version is 5.2.17.. I can't upgrade the PHP version for sure.. So, I could add mysql_real_escape_string(), in every $_GET value I have, before the mySql queries, right? – Kiriakos Grhgoriadhs Oct 11 '18 at 07:18
  • if you run 5.2, you CAN and SHOULD switch to `mysqli` – Dorvalla Oct 11 '18 at 07:29
  • I could, but too many hours, and it is worthless if customer does not pay for such an upgrade ..cause of his custom CMS... Anyway, I see your point! I would try to add mysql_real_escape_string(), to every $_GET value I guess, and see how it goes... thanks a lot for your time and comments – Kiriakos Grhgoriadhs Oct 16 '18 at 13:59