SQL Injection Protection Mod

This forum is now closed as part of retiring phpBB2
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

This forum is now closed due to phpBB2.0 being retired.
Post Reply
Dev222
Registered User
Posts: 123
Joined: Mon Aug 15, 2005 10:22 pm

SQL Injection Protection Mod

Post by Dev222 » Wed Mar 21, 2007 10:23 am

Is there, or could there be, a mod that would go in the header of php pages and check all GET and POST variables for possible SQL injection attempts?

I know that the best way for security from SQL so far is to update to the latest version of phpbb. However there are times that phpbb updates too often and the webmaster might not be able to do the update right away. Or there phpbb installations that have several mods. Maybe some security hole exists on one of those mods and nobody known about it, or the mod was corrected but the webmaster was never informed that he should update that mod etc.

So I think some form of universal script that would protect from all SQL injection vnerubilities, including those in mods and including those that are not found yet, would be great.

dapaintballer333
Registered User
Posts: 177
Joined: Sat Oct 23, 2004 4:02 pm

Re: SQL Injection Protection Mod

Post by dapaintballer333 » Wed Mar 21, 2007 6:31 pm

the latest php versions should protect you, by automatically adding sessions.

having phpbb, in every file, decode_html-scpecial characters, then addslashes, etc, it would be securer, but I wouldn't worry to much.

Try installing "phpbb_security", I've used it for a while.

Zarath
Registered User
Posts: 736
Joined: Fri Dec 06, 2002 9:01 am
Contact:

Re: SQL Injection Protection Mod

Post by Zarath » Wed Mar 21, 2007 9:56 pm

To prevent SQL injections on my forum, I personally added a DBAL layer check on all input queries and the source script for the query. If any query attempts to access user_password from a non-allowed page (login, register, etc) it will automatically kill the script. :)

It's not an overall prevention, but it blocks the main probability of attack through SQL injectoin.

User avatar
3Di
Former Team Member
Posts: 14062
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: SQL Injection Protection Mod

Post by 3Di » Wed Mar 21, 2007 10:05 pm

Zarath wrote: To prevent SQL injections on my forum, I personally added a DBAL layer check on all input queries and the source script for the query. If any query attempts to access user_password from a non-allowed page (login, register, etc) it will automatically kill the script. :)

It's not an overall prevention, but it blocks the main probability of attack through SQL injectoin.


You're quite surprising me, registered since 2002 I see..hmm, please don't tell me you're not aware of the purpose of this Forum? Well, just as a reminder and to cut short a long history: if you have the code/MOD to post here to the Poster then go ahead but stop please to advertise your website instead of.. you know.
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity ΒΊ PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
πŸ‘¨β€πŸ« | Take a tour to | The Studio | πŸ‘¨β€πŸ«

Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 25317
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: SQL Injection Protection Mod

Post by Paul » Wed Mar 21, 2007 10:09 pm

dapaintballer333 wrote: the latest php versions should protect you, by automatically adding sessions.

having phpbb, in every file, decode_html-scpecial characters, then addslashes, etc, it would be securer, but I wouldn't worry to much.

Try installing "phpbb_security", I've used it for a while.

phpbb security and cracker tracker aren't safe, they give no more security.
Zarath wrote: To prevent SQL injections on my forum, I personally added a DBAL layer check on all input queries and the source script for the query. If any query attempts to access user_password from a non-allowed page (login, register, etc) it will automatically kill the script. :)

It's not an overall prevention, but it blocks the main probability of attack through SQL injectoin.

Selecting user_password isn't the only way to do sql injection, dropping tables is also possible. You should not modify the dbal, you should edit the source and there add correct checks.

Argh, now iam also going offtopic here :/
Knock knock
Race condition
Who's there?

My Blog β€’ My Photos β€’ my phpBB Extensions β€’ custom phpBB work & Development

Dev222
Registered User
Posts: 123
Joined: Mon Aug 15, 2005 10:22 pm

Re: SQL Injection Protection Mod

Post by Dev222 » Thu Mar 22, 2007 1:35 am

So it is not possible to have some sort of universal SQL injection protection?

User avatar
3Di
Former Team Member
Posts: 14062
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: SQL Injection Protection Mod

Post by 3Di » Thu Mar 22, 2007 5:36 am

Dev222 wrote: So it is not possible to have some sort of universal SQL injection protection?


Your best bet it is to stay updated to the latest phpBB (currently 2.0.22) and install only MODs available from our MODDB. The phpBB MOD Team checks for any vulnerability and much more before to Validate any MOD.

Avoid to download MODs from alternate sites than this, who knows what you can get from?

Alternatively turning off your PC should do the trick too.. just kidding here. ;-)
paul999 wrote: Argh, now i am also going offtopic here :/

:)
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity ΒΊ PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
πŸ‘¨β€πŸ« | Take a tour to | The Studio | πŸ‘¨β€πŸ«

Zarath
Registered User
Posts: 736
Joined: Fri Dec 06, 2002 9:01 am
Contact:

Re: SQL Injection Protection Mod

Post by Zarath » Fri Mar 23, 2007 5:21 am

I'm aware there's other methods of SQL injections... I have DROP permission disabled for the user that's used to access the database. But blocking people from accessing the user_password field at the very least disables people from access password hashes, which would be the hardest thing to recover from. (I run regular SQL backups, so if anything was deleted/dropped i can restore it... But making people change their passwords is more of a task).

In regards to editting the DBAL, I don't see why I shouldn't edit this -- is there a reason you said I shouldn't? I'm not some novice coder, it's not like I'm going to destroy my forum, it's a very simple check on queries. I also have another edit to the DBAL to log sql errors that are generated.

User avatar
RMcGirr83
Recognised Extension Developer
Posts: 21034
Joined: Wed Jun 22, 2005 4:33 pm
Location: Your display
Name: Rich McGirr
Contact:

Re: SQL Injection Protection Mod

Post by RMcGirr83 » Fri Mar 23, 2007 2:26 pm

paul999 wrote: ....and cracker tracker aren't safe, they give no more security.


Expound, please.
In times of change, learners inherit the earth, while the learned find themselves beautifully equipped to deal with a world that no longer exists - Eric Hoffer
Former Modifications/Extensions Team Member | My extensions
Appreciate the extensions/mods/support then buy me a beer
All requests for support via PM will be ignored

User avatar
3Di
Former Team Member
Posts: 14062
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: SQL Injection Protection Mod

Post by 3Di » Fri Mar 23, 2007 6:29 pm

RMcGirr83 wrote:
paul999 wrote: ....and cracker tracker aren't safe, they give no more security.


Expound, please.


basically doesn't do what is claiming to
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity ΒΊ PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
πŸ‘¨β€πŸ« | Take a tour to | The Studio | πŸ‘¨β€πŸ«

TerraFrost
Former Team Member
Posts: 5957
Joined: Sun Dec 26, 2004 3:40 am
Location: Austin, TX

Re: SQL Injection Protection Mod

Post by TerraFrost » Fri Mar 23, 2007 7:11 pm

So I think some form of universal script that would protect from all SQL injection vnerubilities, including those in mods and including those that are not found yet, would be great.

From the DBMS's perspective, there's no difference between an SQL injected query and a legit SQL query. On the PHP-side, you could look at $_GET / $_POST / etc, but in the end, all that will ever be is a kludge. There really is no substitute for upgrading and anything that makes you feel comfortable not upgrading is ultimately, in the end, going to do more harm then good.

If you're stressing because you haven't yet updated to a new version of phpBB, good. Stay stressed. It'll motivate you that much more to update :)

Post Reply

Return to β€œ[2.0.x] MOD Requests”