Page 1 of 1

SQL Injection Protection Mod

Posted: Wed Mar 21, 2007 10:23 am
by Dev222
Is there, or could there be, a mod that would go in the header of php pages and check all GET and POST variables for possible SQL injection attempts?

I know that the best way for security from SQL so far is to update to the latest version of phpbb. However there are times that phpbb updates too often and the webmaster might not be able to do the update right away. Or there phpbb installations that have several mods. Maybe some security hole exists on one of those mods and nobody known about it, or the mod was corrected but the webmaster was never informed that he should update that mod etc.

So I think some form of universal script that would protect from all SQL injection vnerubilities, including those in mods and including those that are not found yet, would be great.

Re: SQL Injection Protection Mod

Posted: Wed Mar 21, 2007 6:31 pm
by dapaintballer333
the latest php versions should protect you, by automatically adding sessions.

having phpbb, in every file, decode_html-scpecial characters, then addslashes, etc, it would be securer, but I wouldn't worry to much.

Try installing "phpbb_security", I've used it for a while.

Re: SQL Injection Protection Mod

Posted: Wed Mar 21, 2007 9:56 pm
by Zarath
To prevent SQL injections on my forum, I personally added a DBAL layer check on all input queries and the source script for the query. If any query attempts to access user_password from a non-allowed page (login, register, etc) it will automatically kill the script. :)

It's not an overall prevention, but it blocks the main probability of attack through SQL injectoin.

Re: SQL Injection Protection Mod

Posted: Wed Mar 21, 2007 10:05 pm
by 3Di
Zarath wrote: To prevent SQL injections on my forum, I personally added a DBAL layer check on all input queries and the source script for the query. If any query attempts to access user_password from a non-allowed page (login, register, etc) it will automatically kill the script. :)

It's not an overall prevention, but it blocks the main probability of attack through SQL injectoin.


You're quite surprising me, registered since 2002 I see..hmm, please don't tell me you're not aware of the purpose of this Forum? Well, just as a reminder and to cut short a long history: if you have the code/MOD to post here to the Poster then go ahead but stop please to advertise your website instead of.. you know.

Re: SQL Injection Protection Mod

Posted: Wed Mar 21, 2007 10:09 pm
by Paul
dapaintballer333 wrote: the latest php versions should protect you, by automatically adding sessions.

having phpbb, in every file, decode_html-scpecial characters, then addslashes, etc, it would be securer, but I wouldn't worry to much.

Try installing "phpbb_security", I've used it for a while.

phpbb security and cracker tracker aren't safe, they give no more security.
Zarath wrote: To prevent SQL injections on my forum, I personally added a DBAL layer check on all input queries and the source script for the query. If any query attempts to access user_password from a non-allowed page (login, register, etc) it will automatically kill the script. :)

It's not an overall prevention, but it blocks the main probability of attack through SQL injectoin.

Selecting user_password isn't the only way to do sql injection, dropping tables is also possible. You should not modify the dbal, you should edit the source and there add correct checks.

Argh, now iam also going offtopic here :/

Re: SQL Injection Protection Mod

Posted: Thu Mar 22, 2007 1:35 am
by Dev222
So it is not possible to have some sort of universal SQL injection protection?

Re: SQL Injection Protection Mod

Posted: Thu Mar 22, 2007 5:36 am
by 3Di
Dev222 wrote: So it is not possible to have some sort of universal SQL injection protection?


Your best bet it is to stay updated to the latest phpBB (currently 2.0.22) and install only MODs available from our MODDB. The phpBB MOD Team checks for any vulnerability and much more before to Validate any MOD.

Avoid to download MODs from alternate sites than this, who knows what you can get from?

Alternatively turning off your PC should do the trick too.. just kidding here. ;-)
paul999 wrote: Argh, now i am also going offtopic here :/

:)

Re: SQL Injection Protection Mod

Posted: Fri Mar 23, 2007 5:21 am
by Zarath
I'm aware there's other methods of SQL injections... I have DROP permission disabled for the user that's used to access the database. But blocking people from accessing the user_password field at the very least disables people from access password hashes, which would be the hardest thing to recover from. (I run regular SQL backups, so if anything was deleted/dropped i can restore it... But making people change their passwords is more of a task).

In regards to editting the DBAL, I don't see why I shouldn't edit this -- is there a reason you said I shouldn't? I'm not some novice coder, it's not like I'm going to destroy my forum, it's a very simple check on queries. I also have another edit to the DBAL to log sql errors that are generated.

Re: SQL Injection Protection Mod

Posted: Fri Mar 23, 2007 2:26 pm
by RMcGirr83
paul999 wrote: ....and cracker tracker aren't safe, they give no more security.


Expound, please.

Re: SQL Injection Protection Mod

Posted: Fri Mar 23, 2007 6:29 pm
by 3Di
RMcGirr83 wrote:
paul999 wrote: ....and cracker tracker aren't safe, they give no more security.


Expound, please.


basically doesn't do what is claiming to

Re: SQL Injection Protection Mod

Posted: Fri Mar 23, 2007 7:11 pm
by TerraFrost
So I think some form of universal script that would protect from all SQL injection vnerubilities, including those in mods and including those that are not found yet, would be great.

From the DBMS's perspective, there's no difference between an SQL injected query and a legit SQL query. On the PHP-side, you could look at $_GET / $_POST / etc, but in the end, all that will ever be is a kludge. There really is no substitute for upgrading and anything that makes you feel comfortable not upgrading is ultimately, in the end, going to do more harm then good.

If you're stressing because you haven't yet updated to a new version of phpBB, good. Stay stressed. It'll motivate you that much more to update :)