How to detect intrusion attempts? [duplicate]

4

In order to protect against SQL injection, I need to devise a function that eliminates the possibility of someone trying to act in bad faith.

The question is, does mysqli bring with it any functionality to help counter this? In addition, what would be the best way, that is, the best function to deal with eliminating the possibility of SQL injection?

    
asked by anonymous 20.10.2015 / 07:20

2 answers

11

Preventing attacks, sometimes easy, and sometimes difficult, depending on the knowledge of who is creating these barriers. There are a number of Open Source libraries on the internet today that are able to deal with many of the attacks that have been made up to date.

>

MySQL or MySQL improved , is an enhanced version of MySQL , currently supporting object- in> and procedual , both effective.

PDO or PHP Data Objects is an extension that allows you to connect to databases as well as provide abstraction of these layers. PDO supports multiple databases by default.

What to use, it is something to choose because you are going to program because both have several utilities, and sometimes, depending on the situation, it is easier to work with one another.

As for SQL injection , both come well prepared for these types of attacks.

Both MySQLi and PDO have prepared statments and stored procedures , effective and greatly reduce the risk of an SQL injection .

Prepared Statments & Stored Procedures:

  • Query is passed once, and can be executed multiple times, with different parameters.
  • When Query is ready , it is compiled and optimized to execute.
  • The higher the Query, the longer it takes to compile and optimize.
  • Parameters do not need "quotes" , they are automatically processed by the driver.

PDO example:

<?php
/* Connect to an MySQL database using driver invocation */
$dsn = 'mysql:dbname=testdb;host=localhost';
$user = 'dbuser';
$password = 'dbpass';

try {
    $dbh = new PDO($dsn, $user, $password);
} catch (PDOException $e) {
    echo 'Connection failed: ' . $e->getMessage();
}
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);

// insert one row
$name = 'one';
$value = 1;
$stmt->execute();

// insert another row with different values
$name = 'two';
$value = 2;
$stmt->execute();
?>

PDO should normally instantiate the class in a try / catch block, to catch the exception, if any.

MySQLi example:

<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

$city = "Amersfoort";

/* create a prepared statement */
if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {

    /* bind parameters for markers */
    $stmt->bind_param("s", $city);

    /* execute query */
    $stmt->execute();

    /* bind result variables */
    $stmt->bind_result($district);

    /* fetch value */
    $stmt->fetch();

    printf("%s is in district %s\n", $city, $district);

    /* close statement */
    $stmt->close();
}

/* close connection */
$mysqli->close();
?>
Using these drivers does not make you armored against malicious people, because depending on what you do in your connection / search / insertion script, if you do not know how to handle the input data (data usually sent by the user from forms, search fields, etc.) you will always have these problems.

  

The developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible).

Another thing is that ... it does not matter how you try, because if someone really wants to cheat your system, it will simply do it, the important thing is to put a level of security for the type of system you want to use, because it is kind of illogical, he imagines - protecting an infantile game establishment frequented only by children of 5 years, with the security of an house of adult games .

If you want security, and trust scripts, there are many out there, created and evaluated by professionals, and they are Open Source , just remember this.

Some References:

20.10.2015 / 11:34
7

The recommended way to access databases is by using mysqli or PDO , according to documentation .

For mysqli , prepare function allows the use of prepared statements , where the query query ) is sent to the server separately from the parameters or variables.

Example based on documentation:

<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

$cidade = "Sorocaba";

if ($stmt = $mysqli->prepare("SELECT Estado FROM Cidade WHERE Nome=?")) {  
    $stmt->bind_param("s", $cidade);
    $stmt->execute();
    $stmt->bind_result($estado);
    $stmt->fetch();

    printf("%s fica no estado de %s\n", $cidade, $estado);

    $stmt->close();
}

$mysqli->close();
?>

Remember that SQL Injection is just one of the possible types of attack based on sent data. Any data received from the user must be verified and "escaped" according to the context, for example:

  • If you use data to execute commands on the system, the attacker can gain access to the system, therefore "escape" control characters.
  • If you display user data on an HTML screen, "escape" special characters, otherwise the user can inject a script and collect data from other users.
  • If you write data to files, for example a log, you must be careful because a malicious user can inject additional lines into the log.

Finally, it's important to have a clear view of what you do with your data to identify potential hazards.

    
20.10.2015 / 08:17