Okay. So with UPDATE hx_users SET ua='".$ubr."' WHERE id='$uid' we always set the browser of every user when they login to the server.
I can't see any possibility for hackers to use SQL injection here as we come to this step after verifying the uid (user id).
Do you see any?
What is sql injection
Re: What is sql injection
If they use fack User agent name like, ',email='[email protected]'# ???
this was used to reset all users' email ids.
[ Post made via Mobile Device ]
this was used to reset all users' email ids.
[ Post made via Mobile Device ]
Re: What is sql injection
I think the main point we need to understand is, we need to isolate the user information table from user input as much as possible. For example, if you keep the agent information in a separate table (though it is not according to normalisation techniques in database system) with only user_id and agent_name fields, it is not possible for a hacker to access your email or password field.
As an alternative to above suggestion, you can verify the user input as well (this can be bit complicated). For example, you can check the agents against a valid list of agents? You can find a list here.
As an alternative to above suggestion, you can verify the user input as well (this can be bit complicated). For example, you can check the agents against a valid list of agents? You can find a list here.
Re: What is sql injection
Bro,
Is this not a solution for this?
[ Post made via Mobile Device ]
Is this not a solution for this?
Code: Select all
$_SERVER['HTTP_USER_AGENT']=addslashes($_SERVER['HTTP_USER_AGENT']);
Re: What is sql injection
Also I've added below at the top of a common include php.
[ Post made via Mobile Device ]
Code: Select all
//protect against sql injections and remove $ sign
if( is_array($_GET) )
{
while( list($k, $v) = each($_GET) )
{
if( is_array($_GET[$k]) )
{
while( list($k2, $v2) = each($_GET[$k]) )
{
$_GET[$k][$k2] = addslashes($v2);
}
@reset($_GET[$k]);
}
else
{
$_GET[$k] = addslashes($v);
}
}
@reset($_GET);
}
if( is_array($_POST) )
{
while( list($k, $v) = each($_POST) )
{
if( is_array($_POST[$k]) )
{
while( list($k2, $v2) = each($_POST[$k]) )
{
$_POST[$k][$k2] = addslashes($v2);
}
@reset($_POST[$k]);
}
else
{
$_POST[$k] = addslashes($v);
}
}
@reset($_POST);
}
Re: What is sql injection
Use of addslashes is still vulnerable for a SQL injection attack. See http://shiflett.org/blog/2006/jan/addsl ... ape-string for more details.
mysql_real_escape_string() is a little bit more powerful than addslashes() as it calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
As with addslashes(), mysql_real_escape_string() will only work if the query string is wrapped in quotes. A string such as the following would still be vulnerable to an SQL injection:
However, if the script looked something like the following, mysql_real_escape_string() would prevent an SQL injection:
Another point is, I personally do not like to reset system arrays as you did below.
Instead I would get it to a local variable and use it as below,
mysql_real_escape_string() is a little bit more powerful than addslashes() as it calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
As with addslashes(), mysql_real_escape_string() will only work if the query string is wrapped in quotes. A string such as the following would still be vulnerable to an SQL injection:
Code: Select all
$uname = mysql_real_escape_string( $_GET['id'] );
$query = 'SELECT username FROM users WHERE id = ' . $uname; Code: Select all
$uname = mysql_real_escape_string( $_GET['id'] );
$query = 'SELECT username FROM users WHERE id = "' . $uname . ";Code: Select all
$_SERVER['HTTP_USER_AGENT']=function($_SERVER['HTTP_USER_AGENT']); Code: Select all
$myVar = function($_SERVER['HTTP_USER_AGENT']);