is it possible to remove queries from strings

[justride]

Im making a site, and I pass some variables by url etc... Since users can modify urls, I want to take all precautions. Is there a way to eliminate users from modifyin variable sin the url so that I can take out all mysql queries.

I currently take out all hml and php tags, but I feel like if the user/hacker knows my table names then they could put queries in the variable names etc.

ex:

http://domain.com/var=1234

or hacker

http://domain.com/var=destructive

query

not sure if they can do anythign but I wanted to eliminate if its possible.

Thanks

If not then what are other precautions I can take?

Thanks

 

[DRJ478]

If you have register_globals set to OFF (which is default since 4.1.0 I believe) then the var=bad query is not a problem. It would also require the $var is not initialized in your code and that a query on $var is executed.
MySQL injection is not just as easy as people think.

 

[ericbrunson]

I assume you're using the value of var in a query? Just make sure you quote it correctly and escape all special characters.

 

[justride]

im saying say...

http://domain.com?var=1

select * from blah where var='$var';

if the user manipulates var can they do damage?

 

[vbkris]

and if that still bothers u switch to POST method...

Known is handfull, Unknown is worldfull

 

[DRJ478]

Look at

http://php.planetmirror.com/manual/en/security.database.sql-injection.php

 

[ericbrunson]

You can still spoof a post, variable handling is important in either case.

 

[DRJ478]

Many PHP developers have been saved by the limitation of MySQL that only one query can be executed by a mysql_query command.
However, it that doesn't save you from injection of logical parts such as OR password= etc...

 

[justride]

i guess ill have to wait and see if i get attacked, haha
there are soem minor instances where i accept non numeric data, and if the user knows the db schema they may have asccess. i guess i should connect to the db with read only access?

 

[sera]

it seems to me that if you md5 your passwords then if a said hacker sees the contents of your usertable they will only have the usernames. for that matter you can md5 the usernames too if you are that paranoid.

i guess you have to determine what they will be able to see if they change $var to something else other than expected.
select * from blah where var='$var';

then you can determine if it is necessary to protect it.

i would think that as long as you escape special characters you will be fine.

i would worry more about INSERT and UPDATE and my data integrity.

Sera
I often believe that...
My computer is possessed!

 

[justride]

what do you guys mean by escape special characters? like single qoutes?

 

[justride]

when you guys say escape special characters, do you mean single qoutes?

 

[jpadie]

they mean clean the variable before using it in a query (you should do this will all user inserted parameters (forms etc), be they post or get).

i tend to clean variables coming in through post or get as follows (magic_quotes is always turned off in my scripts):
===
for each ($_POST as $key=>$val) {
$_POST[$key] = mysql_real_escape_string ($val);}

===

this is lazy coding though. ideally you would set each variable that you actually wanted in your script and then work with the set variable (I believe that variable handling in php v5 probably means the above is not so bad after all):

===
$wantedvar1 = mysql_real_escape_string ($_POST['incomingvar']);
etc
===

hth
Justin

 

[jpadie]

oops. should have been "foreach" and not "for each

 

[Bastien]

What about the use of mod_rewrite to modify the look of the url? This would aid in 'hiding' the variables.

Bastien

I wish my computer would do what I want it to do,
instead of what I tell it to do...