The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 16, 2019, 11:54:18 PM

Login with username, password and session length


Pages: [1]
  Print  
Author Topic: In depth discussion of SQL injection prevention - beyond input scrubbing  (Read 4344 times)
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« on: October 23, 2007, 07:33:41 AM »

Hi all.

So I need to code to impress in a project I have coming up. My code's going to be scrutinized and I want this party to like what I'm putting down, so I want to go beyond my standard method of scrubbing inputs in the working part of my code and actually do some of the sexier methods to prevent SQL injection. I don't even know where to start, so can anyone point me in the right direction?

Thanks,
-V
Logged

hai
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #1 on: October 23, 2007, 09:30:32 AM »

Hmmm... more sophisticated and sexy than scrubbing...

the only thing I can think of is pure input isolation ie., what comes from the user is *never* passed on to hte DB - you take the user's intentions and recreate things from scratch or something... but I don't know what else beyond that except for a telemetry page that looks like "# of queries, # of potential attacks, last 10 queries" and such... have it automatically update so it looks all sexynshyt...
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« Reply #2 on: October 23, 2007, 01:11:26 PM »

Appreciate the input Perk.

Yes, upon further research I've come to the conclusion that the only impressive route I might be able to take is create my own little scrubbing class whose methods clean my various forms of input, whatever they may be.
Logged

hai
nutballs
Administrator
Lifer
*****
Offline Offline

Posts: 5627


Back in my day we had 9 planets


View Profile
« Reply #3 on: October 23, 2007, 06:39:28 PM »

thats what I was going to suggest. I have a function that I pass 2 parameters to, Type and Value.
i have all kinds of cleaners in there. +integer to force a positive integer such as ID columns. date, float/double, and about a dozen more.

But i don't validate per se, I force correct. So, if someone passes 'abc' to +integer, it gets set to 0.

this is aside from my validation function, which of course runs first, pointing out big a fuckhead you are for trying to out-leet me. Smiley
Logged

I could eat a bowl of Alphabet Soup and shit a better argument than that.
Dragonlaird
Rookie
**
Offline Offline

Posts: 15


Working with AJAX before it even had a name...


View Profile
« Reply #4 on: October 23, 2007, 10:46:00 PM »


so I want to go beyond my standard method of scrubbing inputs in the working part of my code and actually do some of the sexier methods to prevent SQL injection.


No sure if it will help since I don't code in PHP but in my native tongue (ASP/ASP.NET) I developed a complete DB handling class which deals with all comms to/from any DB and constructs all SQL statements pre-cleaned etc.

It has various functions to allow the developer to construct SQL statements that are DB-specific and also use pre-scrubbed values etc.

Since it's all done server-side, the client form can accept anything you like and the resulting server-side SQL is constructed to save exactly what is entered without any possible SQL injections creeping in.

Is this the sort of thing you were meaning or is this a little too heavy-weight for what you had in mind?
Logged

No links in signatures please
vsloathe
vim ftw!
Global Moderator
Lifer
*****
Offline Offline

Posts: 1669



View Profile
« Reply #5 on: October 24, 2007, 06:51:23 AM »


so I want to go beyond my standard method of scrubbing inputs in the working part of my code and actually do some of the sexier methods to prevent SQL injection.


No sure if it will help since I don't code in PHP but in my native tongue (ASP/ASP.NET) I developed a complete DB handling class which deals with all comms to/from any DB and constructs all SQL statements pre-cleaned etc.

It has various functions to allow the developer to construct SQL statements that are DB-specific and also use pre-scrubbed values etc.

Since it's all done server-side, the client form can accept anything you like and the resulting server-side SQL is constructed to save exactly what is entered without any possible SQL injections creeping in.

Is this the sort of thing you were meaning or is this a little too heavy-weight for what you had in mind?

That's pretty much exactly it. Thanks for the idea.
Logged

hai
nop_90
Global Moderator
Lifer
*****
Offline Offline

Posts: 2203


View Profile
« Reply #6 on: October 24, 2007, 09:25:43 PM »

the only thing I can think of is pure input isolation ie., what comes from the user is *never* passed on to hte DB - you take the user's intentions and recreate things from scratch or something... but I don't know what else beyond that except for a telemetry page that looks like "# of queries, # of potential attacks, last 10 queries" and such... have it automatically update so it looks all sexynshyt...
Actually yep.
Just came to me.
Probably the number 1 reason to use something like sqlobject for python or similar shit for PHP, ROR etc
Not counting all the other advantages.

Almost make sql injection impossible.
Logged
Indica
Rookie
**
Offline Offline

Posts: 49


View Profile
« Reply #7 on: October 25, 2007, 12:15:29 PM »

I developed a complete DB handling class which deals with all comms to/from any DB and constructs all SQL statements pre-cleaned etc.

you mind sharing that class?  Wink
Logged
Dragonlaird
Rookie
**
Offline Offline

Posts: 15


Working with AJAX before it even had a name...


View Profile
« Reply #8 on: October 27, 2007, 01:03:29 AM »


you mind sharing that class?  Wink


Normally I would be more than happy to share my code but apart from the fact this is in ASP.NET (and the older version in ASP), I use it in my commercial sites and as such I can't release my commercial code for obvious reasons, plus some of the contracts with customers don't allow me to release the code.

Sowwy...
Logged

No links in signatures please
Pages: [1]
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!