Addslashes()/magic_quote_gpc() is exploitable?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Addslashes()/magic_quote_gpc() is exploitable?

    I have read many blogs about this topic, but it is still complicated. Now, if addslashes is exploitable, what function are we going to use to stop sqli attack. They say that if you put bf27 a multi-byte char the addslashes func will not addslashes into that input. Because addslashes can not read multi-bytes chars. What should i do now to stop sqli attack? Should i'm going to use mysql_real_escape_string() ? ?
    It's n0t that i am afraid to die. Its just that if i die, wh0 wilL loVe her as muCh as i Do?

    #2
    yes use mysql_real_escape_string() unless the variable is not going into the database or you will cause i silent error
    Last edited by something else; 15.02.12, 06:36.

    Comment


      #3
      i can bypass mysql_real_escape_string() and addslashes too.

      best way to protect from SQLi is install latest version of mod_security


      only some Pros can bypass it.

      Comment


        #4
        PHP Code:
        $GET_KEY array_keys($_GET);
        $POST_KEY array_keys($_POST);
        $COOKIE_KEY array_keys($_COOKIE);
        $SERVER_KEY array_keys($_SERVER);
        $SESSION_KEY array_keys($_SESSION);
        for(
        $i=0;$i<count($GET_KEY);$i++) { 
        $_GET[$GET_KEY[$i]] = clean($_GET[$GET_KEY[$i]]); 

        for(
        $i=0;$i<count($POST_KEY);$i++) { 
        $_POST[$POST_KEY[$i]] = clean($_POST[$POST_KEY[$i]]); 

        for(
        $i=0;$i<count($COOKIE_KEY);$i++) { 
        $_COOKIE[$COOKIE_KEY[$i]] = clean($_COOKIE[$COOKIE_KEY[$i]]);  

        for(
        $i=0;$i<count($SERVER_KEY);$i++) { 
        $_SERVER[$SERVER_KEY[$i]] = clean($_SERVER[$SERVER_KEY[$i]]);  

        for(
        $i=0;$i<count($SESSION_KEY);$i++) { 
        $_SESSION[$SESSION_KEY[$i]] = clean($_SESSION[$SESSION_KEY[$i]]);  
        }

        function 
        clean($str) {
        $str = @trim($str);
        if(
        get_magic_quotes_gpc()) {
        $str stripslashes($str);
        }
        return 
        mysql_real_escape_string($str);
        }

        $get ereg_replace("[^0-9]"""$_GET["get"]); <-- to get number only
        $get 
        ereg_replace("[^a-zA-Z]"""$_GET["get"]); <-- to get word only 
        I just use this only. Don't know does it's work well or not. I'm just a newbie. Good luck. ereg_replace have some bug on several server. try replace it with others.
        sigpic
        Visit my WEBSITE Project: http://www.aspirewap.net

        Comment


          #5
          Thankz 4 this code bro. . . I will going to study this code.

          @string master, you mean, i will use htaccess? ?

          @something else, thankz 4 that suggestion bro
          It's n0t that i am afraid to die. Its just that if i die, wh0 wilL loVe her as muCh as i Do?

          Comment


            #6
            Originally posted by analyzer View Post
            I have read many blogs about this topic, but it is still complicated. Now, if addslashes is exploitable, what function are we going to use to stop sqli attack. They say that if you put bf27 a multi-byte char the addslashes func will not addslashes into that input. Because addslashes can not read multi-bytes chars. What should i do now to stop sqli attack? Should i'm going to use mysql_real_escape_string() ? ?
            None of those, magic_quote_gpc() is DEPRECATED and addslashes() does same thing as get_magic_quotes_gpc() automaticly. Hex char is easy to filter and it just depends is in question GET or POST, GET is decoded automaticly while POST doesn't.
            I don't know simple answer on that question, you should use htaccess before (but sure not excluding) php and take care on per-case basis.

            Originally posted by StRiNg_MaStEr View Post
            i can bypass mysql_real_escape_string() and addslashes too.

            best way to protect from SQLi is install latest version of mod_security


            only some Pros can bypass it.
            Its one hex char.
            Last edited by arnage; 15.02.12, 16:07.
            <!DOCTYPE html PUBLIC "-//WAPFORUM.RS

            Comment


              #7
              Thanks 4 that arnage.

              can i ask something about sqli guys? When does a sqli works? Does it works only in GET and POST?

              How about in this code
              $id = 1234;

              $vars = mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM db_user WHERE id="'.$id.'""));
              Is it possible to attack the $id using sqli or other attacks? Because the $id was not filtered, $id has the default value which is 1234. . Can a hacker change the value of $id?
              It's n0t that i am afraid to die. Its just that if i die, wh0 wilL loVe her as muCh as i Do?

              Comment


                #8
                Originally posted by analyzer View Post
                Thanks 4 that arnage.

                can i ask something about sqli guys? When does a sqli works? Does it works only in GET and POST?

                How about in this code


                Is it possible to attack the $id using sqli or other attacks? Because the $id was not filtered, $id has the default value which is 1234. . Can a hacker change the value of $id?
                Yup. it's possible.
                sigpic
                Visit my WEBSITE Project: http://www.aspirewap.net

                Comment


                  #9
                  You are welcome. See this, its just one article from the net but you'll start to get a picture. ;)
                  <!DOCTYPE html PUBLIC "-//WAPFORUM.RS

                  Comment


                    #10
                    Thankz 4 ur helps guys. . . I have now more ideas on how to secure my site better :D
                    It's n0t that i am afraid to die. Its just that if i die, wh0 wilL loVe her as muCh as i Do?

                    Comment


                      #11
                      Originally posted by StRiNg_MaStEr View Post
                      i can bypass mysql_real_escape_string() and addslashes too.
                      best way to protect from SQLi is install latest version of mod_security
                      only some Pros can bypass it.
                      can you also bypass this
                      PHP Code:
                      @$var mysql_real_escape_string(strip_tags(htmlspecialchars($_POST['var']))); 
                      ???
                      It's better to keep your mouth shut and give the impression that you're stupid, than to open it and remove all doubt.
                      ⓣⓗⓔ ⓠⓤⓘⓔⓣⓔⓡ ⓨⓞⓤ ⓑⓔ©ⓞⓜⓔ, ⓣⓗⓔ ⓜⓞⓡⓔ ⓨⓞⓤ ⓐⓡⓔ ⓐⓑⓛⓔ ⓣⓞ ⓗⓔⓐⓡ !
                      ιη тнєσяу, тнє ρяα¢тι¢є ιѕ α яєѕυℓт σƒ тнє тнєσяу, вυт ιη ρяα¢тι¢є ιѕ тнє σρρσѕιтє.
                      キノgんイノ刀g 4 ア乇ムc乇 ノ丂 レノズ乇 キucズノ刀g 4 √ノ尺gノ刀ノイリ!

                      Comment


                        #12
                        @analyzer, use the mysql_real_escape_string don't mind the idiots above telling you they can bypass it. Read coding practices and type casting at PHP Security Consortium then always watch what goes into the db. If you wanna access an ID make sure its an integer!

                        $id = (int) $_GET['id'];

                        And always wrap sql statements in quotes,

                        PHP Code:
                        $sql "SELECT * FROM `users` WHERE `id`='{$id}'"
                        Read more at the site above.

                        Comment


                          #13
                          Originally posted by CreativityKills View Post
                          @analyzer, use the mysql_real_escape_string don't mind the idiots above telling you they can bypass it. Read coding practices and type casting at PHP Security Consortium then always watch what goes into the db. If you wanna access an ID make sure its an integer!

                          $id = (int) $_GET['id'];

                          And always wrap sql statements in quotes,

                          PHP Code:
                          $sql "SELECT * FROM `users` WHERE `id`='{$id}'"
                          Read more at the site above.
                          thankz for this br0. . But i have already a function which is more than the mysql_real_escape_string()

                          ahm, what's the difference if i will not put quote in my sql statements br0? Like this ,
                          PHP Code:
                          $sql "SELECT * FROM users WHERE id='{$id}'"
                          It's n0t that i am afraid to die. Its just that if i die, wh0 wilL loVe her as muCh as i Do?

                          Comment


                            #14
                            Don't kid urself, you can't possibly have a function better than that because php native functions are extensively tested in different dev and production instances and environments not to mention operating systems and server api's, and with each release the functions are fixed incase of discovered bugs, how many environs and setups have u tested urs. But suit urself as long as ure comfortable with your codes fine. The difference is, its generally easier to inject sql written without quotes, example:

                            PHP Code:
                            $username 'admin';
                            $password 'IDontKnowYourPasswordButNoMatter OR 1=1';

                            // This will login pretty nicely regardless of the password
                            $sql "SELECT * FROM `users` WHERE username=$username AND password=$password";

                            // This won't
                            $sql "SELECT * FROM `users` WHERE `username`='{$username}' AND `password`='{$password}'"
                            Added after 4 minutes:

                            Without quotes can execute the password entry as part of the query hence the user can modify ur query as s/he likes. With quotes, it doesn't because it treats whatever in quotes as STRING and therefore not part of the executing query, hope I explained well.
                            Last edited by CreativityKills; 21.02.12, 06:35.

                            Comment


                              #15
                              Yeah, you explained it well bro, thankz 4 ur concern. . You helps me l0t. . =)
                              It's n0t that i am afraid to die. Its just that if i die, wh0 wilL loVe her as muCh as i Do?

                              Comment

                              Working...
                              X