close ad
 
Important WebAssist Announcement
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

SQL Injection / Sanitation

Thread began 9/14/2017 2:19 pm by LionsMane | Last modified 2/13/2020 7:05 am by Ray Borduin | 2877 views | 9 replies |

LionsMane

SQL Injection / Sanitation

I'd like to learn more about how to protect against SQL Injection (and do better sanitation) when using these mySQLi behaviors. Do you have examples or suggestions you can recommend?

Sign in to reply to this post

LionsMane

Follow up

IN particular, I'd like to learn how to remove single ticks and quotation marks from values entered into a field before INSERT.

Sign in to reply to this post

Ray BorduinWebAssist

My'SQLi Server Behaviors uses prepared statements that are inherently injection proof. As long as you are using our server behaviors you shouldn't have to worry about it.

You can read more about how to prevent injection and how prepared statements work here:
https://websitebeaver.com/prepared-statements-in-php-mysqli-to-prevent-sql-injection

Sign in to reply to this post
Did this help? Tips are appreciated...

Mags

Hi Ray, I recently built a new section on an existing site using SA/mySQLi server behaviors. The client has had a penetration test done and it's come back showing a high impact/high probability of SQL injection which I need to fix urgently. However reading the material on the link above, although I think I understand how it can happen, I'm not sure how to fix it - and particularly if, as you say, the mySQLi server behaviors use prepared statements anyway! Would it be the login page I would need to update? I've attached a copy for info.

Sign in to reply to this post

Ray BorduinWebAssist

I don't see any vulnerability on this page. It does use prepared statements, so SQL injection shouldn't be possible. I don't see any hand coding that would have opened any vulnerabilities. Can I get a copy of the report that says there is a problem? Does it have any details?

Sign in to reply to this post
Did this help? Tips are appreciated...

Mags

Hi Ray, yes I have a 174-page document to go through with everything that was picked up! :-( See PM.

Sign in to reply to this post

Ray BorduinWebAssist

I don't see the attachment. I may want the FTP information, but I'd like to see the relevant error first.

Sign in to reply to this post
Did this help? Tips are appreciated...

Mags

Attaching again, this time as a PDF - hope it gets to you OK.

Sign in to reply to this post

Ray BorduinWebAssist

This is a false positive and isn't a real SQL injection hole. It is detecting that these two urls return a different result and it assumes that is because it is getting information from the database.

https://www.yoursite.co.uk/theagency/index.php?&accesscheck=/theagency/inde x.php?-1' AND 'yUOyV'='pVXHK' OR 'yUOyV'='yUOyV' OR '1234'='747235

https://www.yoursite.co.uk/theagency/index.php?&accesscheck=/theagency/inde x.php?-1' AND 'oQqtS'='llomj' OR 'oQqtS'='llomj' OR '1234'='734102

However, if you follow those two links the pages are different because one is going to a 404 page, not because any information is coming from the database. That means this isn't really an issue.

Sign in to reply to this post
Did this help? Tips are appreciated...

Mags

Thanks Ray, I'll pass this on. See PM too.

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...