Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How To Determine Whether A User Attempted A SQL Injection Attack

I'm familiar with using mysql_real_escape_string() and the PHP FILTER_SANITIZE function to prevent sql injections.

However, I'm curious as to how I would determine within a PHP script whether or not user input was a likely sql injection attempt? That would be useful for tracking potentially malicious IPs.

like image 279
Bad Programmer Avatar asked Aug 12 '11 23:08

Bad Programmer


People also ask

How SQL injection attacks are detected?

Detection methods range from checking server logs to monitoring database errors. Most network intrusion detection systems (IDS) and network perimeter firewalls are not configured to review HTTP traffic for malicious SQL fragments, making it possible for an attacker to bypass network security boundaries.

What hackers first do to check whether the SQL injection attack can be done or not?

Procedure For The Attack Hacker first searches for the website in which the parameter of HTML are not properly validated (i.e. tags are not closed etc.) by running malicious SQL queries on the website. While running the queries if error related to SQL is displayed on the webpage.

Is SQL injection detectable?

The detection of SQL injection attacks has primarily been accomplished through pattern matching techniques against signatures and keywords known to be malicious.

What is an example of what a SQL injection attempts to do?

Some common SQL injection examples include: Retrieving hidden data, where you can modify an SQL query to return additional results. Subverting application logic, where you can change a query to interfere with the application's logic. UNION attacks, where you can retrieve data from different database tables.


4 Answers

If the output of mysql_real_escape_string is different to the input, then the input contained unsafe characters. You could infer that the user might have been attempting an attack, especially if the field in question is one where you'd normally expect a low number of unsafe characters (e.g. a zip code).

But it might also be because their name happened to be Robert'); DROP TABLE Students; --.

So in general, there is no way to do this that's even close to reliable.

like image 74
Oliver Charlesworth Avatar answered Sep 27 '22 19:09

Oliver Charlesworth


Simple answer is you cannot. Just write code that assumes that the serve is going to receive a pounding then you cannot go wrong.

like image 26
Ed Heal Avatar answered Sep 27 '22 20:09

Ed Heal


This is a very hard problem to solve, automatically detecting which SQL queries are attacks (or simple mistakes).

There are companies who make products that attempt to do this, like GreenSQL and DB Networks ADF-4200, by applying heuristic tests to see if queries look "suspicious."

But even they rely more on whitelisting the queries that your application runs. The heuristics are known to have both false positives and false negatives. And there are whole categories of queries that neither whitelisting nor heuristics can catch, like calls to stored procedures.

Someone mentioned mod_security too, but this requires a lot of configuration, and then you're back to hand-coding rules for whitelisting your application's legitimate queries.

Just follow good practices like parameterizing and whitelisting, so that user input (or any untrusted content) is never evaluated as code.

like image 28
Bill Karwin Avatar answered Sep 27 '22 21:09

Bill Karwin


Actually there is no certain way !
but it is possible to guess attacks !
simply check for most common usefull sql injection structures for example scan this words (in case insensitive) in your inputs :

union
select
drop
--
; 

if you know how to stop sql injection , you shouldn't be worried and you can run the query safely. but as I understood you want to detect injections , so i prefer you just log suspicious inputs and then decide manually ! in most cases logged queries are real injections.

like image 45
Shahrokhian Avatar answered Sep 27 '22 21:09

Shahrokhian