Solved

PHP MYSQL injection

Posted on 2010-09-10
12
894 Views
Last Modified: 2012-05-10
How do i prevent PHP MYSQL injection on CentOS server

Its affecting all my sites on the server.

Please advice
Thanks.
0
Comment
Question by:whspider
12 Comments
 
LVL 6

Accepted Solution

by:
PJBX earned 125 total points
Comment Utility
0
 

Author Comment

by:whspider
Comment Utility
for PHP also please?
0
 

Author Comment

by:whspider
Comment Utility
ie for a iframe injection
0
 
LVL 6

Assisted Solution

by:apresence
apresence earned 125 total points
Comment Utility
You can escape any HTML characters using this function:
http://php.net/manual/en/function.htmlspecialchars.php
0
 
LVL 3

Expert Comment

by:jchook
Comment Utility
You can also strip unwanted HTML tags out of the user input.

See this page and its comments:
http://us.php.net/manual/en/function.strip-tags.php

0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 3

Expert Comment

by:jchook
Comment Utility
Follow-up: Here is a better function than strip_tags found within the comments of that page.

The arguments are:
- $i_html - the HTML string to be parsed
- $i_allowedtags - an array of allowed tag names
- $i_trimtext - whether or not to strip all text outside of the allowed tags
<?php

/**
 * Function courtesy of lucky760 at VideoSift dot com
 */
function real_strip_tags($i_html, $i_allowedtags = array(), $i_trimtext = FALSE) {
  if (!is_array($i_allowedtags))
    $i_allowedtags = !empty($i_allowedtags) ? array($i_allowedtags) : array();
  $tags = implode('|', $i_allowedtags);

  if (empty($tags))
    $tags = '[a-z]+';

  preg_match_all('@</?\s*(' . $tags . ')(\s+[a-z_]+=(\'[^\']+\'|"[^"]+"))*\s*/?>@i', $i_html, $matches);

  $full_tags = $matches[0];
  $tag_names = $matches[1];

  foreach ($full_tags as $i => $full_tag) {
    if (!in_array($tag_names[$i], $i_allowedtags))
      if ($i_trimtext)
        unset($full_tags[$i]);
      else
        $i_html = str_replace($full_tag, '', $i_html);
  }

  return $i_trimtext ? implode('', $full_tags) : $i_html;
}

// Example Usage
$allowed_tags = array('p','a','b','i','u','br','div','hr','ul','ol','li');
$good_html = real_strip_tags($html, $allowed_tags);

Open in new window

0
 
LVL 3

Expert Comment

by:jchook
Comment Utility
Also, one more follow-up, this is the XSS (cross-site-scripting) filter from CodeIgniter (open source PHP Framework, see http://codeigniter.com/ )

NOTE: This will not work on its own. You must look at the Input library from codeigniter/system/libraries/Input.php and adapt its methods to your application.
<?php

/**
* XSS Clean
*
* Sanitizes data so that Cross Site Scripting Hacks can be
* prevented.  This function does a fair amount of work but
* it is extremely thorough, designed to prevent even the
* most obscure XSS attempts.  Nothing is ever 100% foolproof,
* of course, but I haven't been able to get anything passed
* the filter.
*
* Note: This function should only be used to deal with data
* upon submission.  It's not something that should
* be used for general runtime processing.
*
* This function was based in part on some code and ideas I
* got from Bitflux: http://blog.bitflux.ch/wiki/XSS_Prevention
*
* To help develop this script I used this great list of
* vulnerabilities along with a few other hacks I've
* harvested from examining vulnerabilities in other programs:
* http://ha.ckers.org/xss.html
*
* @access public
* @param  string
* @return string
*/
function xss_clean($str, $is_image = FALSE)
{
  /*
  * Is the string an array?
  *
  */
  if (is_array($str))
  {
    while (list($key) = each($str))
    {
      $str[$key] = $this->xss_clean($str[$key]);
    }

    return $str;
  }

  /*
  * Remove Invisible Characters
  */
  $str = $this->_remove_invisible_characters($str);

  /*
  * Protect GET variables in URLs
  */

  // 901119URL5918AMP18930PROTECT8198

  $str = preg_replace('|\&([a-z\_0-9]+)\=([a-z\_0-9]+)|i', $this->xss_hash()."\\1=\\2", $str);

  /*
  * Validate standard character entities
  *
  * Add a semicolon if missing.  We do this to enable
  * the conversion of entities to ASCII later.
  *
  */
  $str = preg_replace('#(&\#?[0-9a-z]{2,})([\x00-\x20])*;?#i', "\\1;\\2", $str);

  /*
  * Validate UTF16 two byte encoding (x00) 
  *
  * Just as above, adds a semicolon if missing.
  *
  */
  $str = preg_replace('#(&\#x?)([0-9A-F]+);?#i',"\\1\\2;",$str);

  /*
  * Un-Protect GET variables in URLs
  */
  $str = str_replace($this->xss_hash(), '&', $str);

  /*
  * URL Decode
  *
  * Just in case stuff like this is submitted:
  *
  * <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
  *
  * Note: Use rawurldecode() so it does not remove plus signs
  *
  */
  $str = rawurldecode($str);

  /*
  * Convert character entities to ASCII 
  *
  * This permits our tests below to work reliably.
  * We only convert entities that are within tags since
  * these are the ones that will pose security problems.
  *
  */

  $str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str);

  $str = preg_replace_callback("/<\w+.*?(?=>|<|$)/si", array($this, '_html_entity_decode_callback'), $str);

  /*
  * Remove Invisible Characters Again!
  */
  $str = $this->_remove_invisible_characters($str);

  /*
  * Convert all tabs to spaces
  *
  * This prevents strings like this: ja vascript
  * NOTE: we deal with spaces between characters later.
  * NOTE: preg_replace was found to be amazingly slow here on large blocks of data,
  * so we use str_replace.
  *
  */

    if (strpos($str, "\t") !== FALSE)
  {
    $str = str_replace("\t", ' ', $str);
  }

  /*
  * Capture converted string for later comparison
  */
  $converted_string = $str;

  /*
  * Not Allowed Under Any Conditions
  */

  foreach ($this->never_allowed_str as $key => $val)
  {
    $str = str_replace($key, $val, $str);   
  }

  foreach ($this->never_allowed_regex as $key => $val)
  {
    $str = preg_replace("#".$key."#i", $val, $str);   
  }

  /*
  * Makes PHP tags safe
  *
  *  Note: XML tags are inadvertently replaced too:
  *
  * <?xml
  *
  * But it doesn't seem to pose a problem.
  *
  */
  if ($is_image === TRUE)
  {
    // Images have a tendency to have the PHP short opening and closing tags every so often
    // so we skip those and only do the long opening tags.
    $str = preg_replace('/<\?(php)/i', "&lt;?\\1", $str);
  }
  else
  {
    $str = str_replace(array('<?', '?'.'>'),  array('&lt;?', '?&gt;'), $str);
  }

  /*
  * Compact any exploded words
  *
  * This corrects words like:  j a v a s c r i p t
  * These words are compacted back to their correct state.
  *
  */
  $words = array('javascript', 'expression', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
  foreach ($words as $word)
  {
    $temp = '';

    for ($i = 0, $wordlen = strlen($word); $i < $wordlen; $i++)
    {
      $temp .= substr($word, $i, 1)."\s*";
    }

    // We only want to do this when it is followed by a non-word character
    // That way valid stuff like "dealer to" does not become "dealerto"
    $str = preg_replace_callback('#('.substr($temp, 0, -3).')(\W)#is', array($this, '_compact_exploded_words'), $str);
  }

  /*
  * Remove disallowed Javascript in links or img tags
  * We used to do some version comparisons and use of stripos for PHP5, but it is dog slow compared
  * to these simplified non-capturing preg_match(), especially if the pattern exists in the string
  */
  do
  {
    $original = $str;

    if (preg_match("/<a/i", $str))
    {
      $str = preg_replace_callback("#<a\s+([^>]*?)(>|$)#si", array($this, '_js_link_removal'), $str);
    }

    if (preg_match("/<img/i", $str))
    {
      $str = preg_replace_callback("#<img\s+([^>]*?)(\s?/?>|$)#si", array($this, '_js_img_removal'), $str);
    }

    if (preg_match("/script/i", $str) OR preg_match("/xss/i", $str))
    {
      $str = preg_replace("#<(/*)(script|xss)(.*?)\>#si", '[removed]', $str);
    }
  }
  while($original != $str);

  unset($original);

  /*
  * Remove JavaScript Event Handlers
  *
  * Note: This code is a little blunt.  It removes
  * the event handler and anything up to the closing >,
  * but it's unlikely to be a problem.
  *
  */
  $event_handlers = array('[^a-z_\-]on\w*','xmlns');

  if ($is_image === TRUE)
  {
    /*
    * Adobe Photoshop puts XML metadata into JFIF images, including namespacing, 
    * so we have to allow this for images. -Paul
    */
    unset($event_handlers[array_search('xmlns', $event_handlers)]);
  }

  $str = preg_replace("#<([^><]+?)(".implode('|', $event_handlers).")(\s*=\s*[^><]*)([><]*)#i", "<\\1\\4", $str);

  /*
  * Sanitize naughty HTML elements
  *
  * If a tag containing any of the words in the list
  * below is found, the tag gets converted to entities.
  *
  * So this: <blink>
  * Becomes: &lt;blink&gt;
  *
  */
  $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss';
  $str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);

  /*
  * Sanitize naughty scripting elements
  *
  * Similar to above, only instead of looking for
  * tags it looks for PHP and JavaScript commands
  * that are disallowed.  Rather than removing the
  * code, it simply converts the parenthesis to entities
  * rendering the code un-executable.
  *
  * For example:  eval('some code')
  * Becomes:    eval&#40;'some code'&#41;
  *
  */
  $str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2&#40;\\3&#41;", $str);

  /*
  * Final clean up
  *
  * This adds a bit of extra precaution in case
  * something got through the above filters
  *
  */
  foreach ($this->never_allowed_str as $key => $val)
  {
    $str = str_replace($key, $val, $str);   
  }

  foreach ($this->never_allowed_regex as $key => $val)
  {
    $str = preg_replace("#".$key."#i", $val, $str);
  }

  /*
  *  Images are Handled in a Special Way
  *  - Essentially, we want to know that after all of the character conversion is done whether
  *  any unwanted, likely XSS, code was found.  If not, we return TRUE, as the image is clean.
  *  However, if the string post-conversion does not matched the string post-removal of XSS,
  *  then it fails, as there was unwanted XSS code found and removed/changed during processing.
  */

  if ($is_image === TRUE)
  {
    if ($str == $converted_string)
    {
      return TRUE;
    }
    else
    {
      return FALSE;
    }
  }

  log_message('debug', "XSS Filtering completed");
  return $str;
}
?>

Open in new window

0
 
LVL 34

Assisted Solution

by:Beverley Portlock
Beverley Portlock earned 125 total points
Comment Utility
I think that the first thing you need to do is see if we can HOW the hijacking is occurring.

1. Look at php.ini and see if register_globals is ON. If so then this is the first thing to turn off. However doing so may affect your websites if you have been relying on this feature.

2. Scan your folders. Login via SSH  and look for .htaccess files. If they are in places you do NOT expect to find them then that particular domain is probably the point of entry and the code for it deserves special attention. Use something like

find /path/to/webroot/ -name '.htaccess'

also search for phpshell.php and c99.php and remove any of them that you find. Google these term for more information.


Next do some hardening...

3. Edit PHP.INI and set disable_functions = shell,exec,passthru,system....etc basically do everything listed on here http://uk.php.net/manual/en/function.shell-exec.php Google for a longer.

4. Edit each virtualhost and turn open_basedir on and restrict each website to its own folder by adding lines like these

php_admin_flag engine on
php_admin_value open_basedir "/path/to/domain/folder"

The above changes will make it harder to infect you and will help limit the infection to a smaller set of folders.

5. Assume that your root password is compromised and change it. Be careful you don't lock yourself out of the server doing this.

6. Delete all unused FTP accounts and change the passwords on all the rest of them to non-dictionary words at least 8 characters in length

7. If you have phpadmin on the computer, ensure it is protected via .htpassword or (even better) use Apache's allow/deny feature to restrict access to it to a set on known IP addresses.

That lot should limit down further methods of access



8. Ensure that every package (like ZenCart, Magento, phpBB, etc) has the latest patches applied.

9. Next go through your code. Do once source file at a time, but ignore packges like phpBB or ZenCart. Scan for _GET _POST _REQUEST _SERVER _COOKIE and everywhere that they are used apply strip_tags to them unless the field in question is meant to contain HTML. That will stop a lot of the XSS injections which use javascript. So, replace

$myVar = $_GET['myVar'];

with

$myVar = strip_tags( $_GET['myVar'] );

Also read up on the PHP filter functions http://www.php.net/filter_var


Doing the above will substantially increase your security. You may already be doing some of them, but try and do as many as possible. It's a big job, but it keeps the bad guys out.



0
 
LVL 1

Expert Comment

by:slimetoner
Comment Utility
i think he does not want to sanitize per php file.
he wants a universal sanitizer.

i think firewalls/ids can block viruses by setting a hex fingerprint, but cannot detect php injection attacks.
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 125 total points
Comment Utility
FYI, sql injection is top rated web Application attack these days. There are many insecure code over the net and also there are several ways to protect ASP.NET application from sql injection attacks. sql injection  can occur when an application uses input to construct dynamic sql statements or when it uses stored procedures to connect to the database. Methods of sql injection exploitation are classified according to the DBMS type and exploitation conditions  Vulnerable request can implement Insert, update, delete. It is possible to inject sql code into any part of sql request Blind sql injection Features of sql implementations used in various dbms. Successful sql injection attacks enable attackers to execute commands in an application's database and also take over the server.
my recommendation:
- Basically, make sure your web server is up-to-date with latest security fixes/patches.
- Make sure you have filter every user input and output as proper encoding like UTF-8.
Read the full testing guide: https://www.owasp.org/images/8/89/OWASP_Testing_Guide_V3.pdf
- try tom imlement web application scanner , check this link http://trac.ush.it/ush/wiki/SecurityTools
- i use ex. watchfile now IBM aapscan tools http://www-01.ibm.com/software/rational/offerings/websecurity/  to scan all my web application

check google more how to protect against sql injection
regarding Microsoft issue check http://msdn.microsoft.com/en-us/library/ms998271.aspx
search http://www.sans.org/  "sql injection"
WASC: http://projects.webappsec.org/SQL-Injection
OWASP: http://www.owasp.org/index.php/SQL_Injection
CodeProject http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx
0
 

Author Comment

by:whspider
Comment Utility
let me check and get back
0

Featured Post

Easy Project Management (No User Manual Required)

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This article discusses four methods for overlaying images in a container on a web page
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now