Menu
I'm familiar with using mysql_real_escape_string() and the PHP FILTER_SANITIZE function to prevent sql injections.
However, I'm curious as to how I would determine within a PHP script whether or not user input was a likely sql injection attempt? That would be useful for tracking potentially malicious IPs.
279
Detection methods range from checking server logs to monitoring database errors. Most network intrusion detection systems (IDS) and network perimeter firewalls are not configured to review HTTP traffic for malicious SQL fragments, making it possible for an attacker to bypass network security boundaries.
Procedure For The Attack Hacker first searches for the website in which the parameter of HTML are not properly validated (i.e. tags are not closed etc.) by running malicious SQL queries on the website. While running the queries if error related to SQL is displayed on the webpage.
The detection of SQL injection attacks has primarily been accomplished through pattern matching techniques against signatures and keywords known to be malicious.
Some common SQL injection examples include: Retrieving hidden data, where you can modify an SQL query to return additional results. Subverting application logic, where you can change a query to interfere with the application's logic. UNION attacks, where you can retrieve data from different database tables.
If the output of mysql_real_escape_string is different to the input, then the input contained unsafe characters. You could infer that the user might have been attempting an attack, especially if the field in question is one where you'd normally expect a low number of unsafe characters (e.g. a zip code).
But it might also be because their name happened to be Robert'); DROP TABLE Students; --.
So in general, there is no way to do this that's even close to reliable.
74
Simple answer is you cannot. Just write code that assumes that the serve is going to receive a pounding then you cannot go wrong.
26
This is a very hard problem to solve, automatically detecting which SQL queries are attacks (or simple mistakes).
There are companies who make products that attempt to do this, like GreenSQL and DB Networks ADF-4200, by applying heuristic tests to see if queries look "suspicious."
But even they rely more on whitelisting the queries that your application runs. The heuristics are known to have both false positives and false negatives. And there are whole categories of queries that neither whitelisting nor heuristics can catch, like calls to stored procedures.
Someone mentioned mod_security too, but this requires a lot of configuration, and then you're back to hand-coding rules for whitelisting your application's legitimate queries.
Just follow good practices like parameterizing and whitelisting, so that user input (or any untrusted content) is never evaluated as code.
28
Actually there is no certain way !
but it is possible to guess attacks !
simply check for most common usefull sql injection structures
for example scan this words (in case insensitive) in your inputs :
union
select
drop
--
;
if you know how to stop sql injection , you shouldn't be worried and you can run the query safely. but as I understood you want to detect injections , so i prefer you just log suspicious inputs and then decide manually ! in most cases logged queries are real injections.
45
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
