SQL Injection Attack

software development

#1

I just fell victim to a SQL injection attack. Somewhere in this code…they’re getting in and corrupting the database.

Is there anyway to create MySQL logs? I had this on the Windows machine for MS-SQL several years ago when I had to deal with this problem (took about two minutes to fix when I could see where they were getting in).

As it is, where the logs are stored in the directory structure…there is nothing. I’ve searched through the Dreamhost wiki but can’t find anything.


#2

I don’t think you’d have access to the sql logs unless you have a VPS or Dedicated Server…

What’s the code look like maybe we can point out where the problem is?

Jw


#3

If you are using PHP, you should use PDOs which, I believe, make SQL injection impossible.


#4

OMG, I have miles of code. I don’t even know where to begin. I’ve already manually gone through it, and everything seems to be cleaned.

Question though…is it enough if I’m using GET for an id, and then do a numeric check on it? So I’m doing this:

if (isset($_GET(‘id’)) && (is_numeric($_GET(‘id’))…
before I pass the contents of GET to a query.


#5

PDO. End of story.


#6

So if I switch all my database connections from standard (sorry, don’t know what it’s called) to PDO, it’ll take care of SQL injection attacks? That’s all there is to it?


#7

Not quite. You have to start using PDO prepared statements / placeholders instead of interpolating variables into your SQL queries.


#8

Not really since is_numeric accepts all sorts of numbers that MySql will choke on if used… 0123 40e3 0x34

Manually eeeeeck…

OpenVas, Qualys, even Nessus if it’s a personal site. There’s also a toolkit Metasploit

Jw


#9

http://www.php.net/manual/en/pdo.prepared-statements.php


#10

Not really since is_numeric accepts all sorts of numbers that MySql will choke on if used… 0123 40e3 0x34

Manually eeeeeck…

OpenVas, Qualys, even Nessus if it’s a personal site. There’s also a toolkit Metasploit

Jw