Presentation is loading. Please wait.

Presentation is loading. Please wait.

Preventing MySQL Injection Sonja Parson COSC 5010 Security Presentation April 26, 2005.

Published byBarnaby Bond Modified over 8 years ago

Similar presentations

Presentation on theme: "Preventing MySQL Injection Sonja Parson COSC 5010 Security Presentation April 26, 2005."— Presentation transcript:

1 Preventing MySQL Injection Sonja Parson COSC 5010 Security Presentation April 26, 2005

2 Introduction  Used PHP, MySQL, and HTML for this project  Can access from the web  Username and Password needed to be secure  Wanted to protect against SQL injection attacks

3 MySQL Query Problems  Regular Expression Matching  Period(.)  Match any character (including carriage return and newline)  [:alnum:]  Match any alphanumeric characters  Single Quote (‘)  Ends a query  Now, you can type your own query into the field

4 Simple Solutions  Make sure that you limit the length of a parameter  Helps prevent someone from sending a query to the database through the username or password fields  Use secure passwords

5 A Few Functions (PHP)  Mysql_escape_string()  Mysql_real_escape_string()  Crypt()

6 Mysql_escape_string()  Escapes a string for use in a mysql query  Does not escape % and _  Does not respect the current charset setting  Example:  <?php  $item = “Sonja’s Laptop”;  $escaped_item = mysql_escape_string($item);  Printf(“%s\n”, $escaped_item);  ?>  Would return:  Sonja\’s Laptop

7 Mysql_real_escape_string()  Identical to mysql_escape_string(), but is connection oriented.  Takes into account the current charset of the database connection  Mysql_escape_string($unescaped_st ring, $link_to_database);

8 Crypt()  Crypt() is a one-way string encryption (hashing).  Uses standard DES-based encryption scheme  Uses the string and a salt to encrypt the string  If the salt is not provided, one is randomly generated by PHP each time the function is called.

9 Conclusion  By using the aforementioned functions, you can secure your database from unwanted attacks (assuming you wrote good enough code)  Websites are easy to hack when you have the source code  Website is secure from SQL injection attacks  SQL injection attacks are easy to do, but can also be easily guarded against

10 References  PHP, MySQL functions  http://pt.php.net/manual/en/ref.m ysql.php http://pt.php.net/manual/en/ref.m ysql.php  MySQL Reference Manual: MySQL Regular Expressions  http://dev.mysql.com/doc/mysql/e n/regexp.html http://dev.mysql.com/doc/mysql/e n/regexp.html

11

Download ppt "Preventing MySQL Injection Sonja Parson COSC 5010 Security Presentation April 26, 2005."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
PHP SQL. Connection code:- mysql_connect(server, username, password); Connect to the Database Server with the authorised user and password. Eg $connect.

PHP SQL. Connection code:- mysql_connect("server", "username", "password"); Connect to the Database Server with the authorised user and password. Eg $connect.
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.

The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.

SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.

Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
Security in SQL Jon Holmes CIS 407 Fall 2007. Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.

Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Martin Kruliš 2. 4. 2015 by Martin Kruliš (v1.0)1.

Martin Kruliš by Martin Kruliš (v1.0)1.
{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.

{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.
PHP-MySQL By Jonathan Foss. PHP and MySQL Server Web Browser Apache PHP file PHP MySQL Client Recall the PHP architecture PHP can communicate with a MySQL.

PHP-MySQL By Jonathan Foss. PHP and MySQL Server Web Browser Apache PHP file PHP MySQL Client Recall the PHP architecture PHP can communicate with a MySQL.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
Yvan Cartwright, Web Security Introduction Correct encryption use Guide to passwords Dictionary hacking Brute-force hacking.

Yvan Cartwright, Web Security Introduction Correct encryption use Guide to passwords Dictionary hacking Brute-force hacking.
PHP Security.

PHP Security.
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:

Similar presentations

Ads by Google