PHP sql security

Question

PHP sql security

I am using mysql_real_escape_string () for my variables, but while looking through my logs I noticed an input stream from someone who has entries like this:

${@print(md5(acunetix_wvs_security_test))}

1\" or (sleep(4)+1) limit 1 --

etc. A huge list of them.

Is he just trying and nothing happens? Or is my code not safe with just mysql_real_escape_string ()?

EDIT: I don't see any damage, but most of the input area on the site has been attempted many times. Wouldn't he stop if he didn't work once, realizing it was safe?

+3

security sql php

user1022585 Jan 27. 13 at 13:18

source to share

3 answers

migg · Answer 1 · 2013-01-27T13:28:25+0000

These records are taken from Acunetix Internet Vulnerability Scan (see http://www.acunetix.com/vulnerability-scanner/ for details ).

In short, it's just a robot that works on your website and checks for known security issues. As for your question, it is just trying. Even if your site is vulnerable, the scanner won't try to break anything, just report the vulnerabilities to verify your identity.

It might be better to check the logs later, because an automatic scan can be an automatic collection of information for someone who then tries to manually attack your site, with information from the automatic scan. But I don't know how important your application is.

EDIT: No, the scanner wouldn't stop. These scanners are not very smart and don't try to learn from previous results. They only work through a list of specific attacks and try them on every input / parameter they can find.

Learner · Answer 2 · 2013-01-27T13:27:59+0000

It seems like someone is crawling your site with the acunetix reverence scanner. Can you see any changes in your database data ?. If so, it will be successful.

This tool is very powerful and is designed to find a lot of holes in scripts.

It's not enough to depend on mysql_real_escape_string () to search and redesign the site anymore. There are so many ways to invade a script it's not just mysql injections.

Learn more about PHP and MYSQL security.

Tom van der woerdt · Answer 3 · 2013-01-27T13:21:11+0000

If you use consistently mysql_real_escape_string

, you should be safe from SQL injection.

Note that it mysql_query

gets deprecated in the future, you shouldn't use it anymore.

PHP sql security

More articles: