#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2009
    Posts
    147
    Rep Power
    49

    Determine if user is attempting SQL Injection


    Hi All,

    I know what SQL injection is, have been doing a bunch of Googling looking for solutions, have searched on Dev Shed, etc. My code currently uses PDO prepare statements and escapes special chars so I'm not worried about SQL injection being successful.

    I'm involved in the financial industry so I'm looking to identify if a user is attempting to perform SQL injection. If they are, the user/ip will be identified and potentially blocked (haven't decided yet how I'll handle that part).

    The code I have so far is this (I know it could be cleaner, more efficient, and commented but I'm just sorting out how to accomplish the task at this point):
    PHP Code:
    function check_injection_attack($text){
    $text strtolower($text);

    if ((!
    strpos($text"'")) && (strpos($text"'") !== 0)){
        return 
    true;
    }

    if ((!
    strpos($text'"')) && (strpos($text'"') !== 0)){
        return 
    true;
    }

    if ((
    strpos($text'create database')) || (strpos($text'create database') === 0)){
        return 
    false;
    }

    if ((
    strpos($text'create index')) || (strpos($text'create index') === 0)){
        return 
    false;
    }

    if ((
    strpos($text'create table')) || (strpos($text'create table') === 0)){
        return 
    false;
    }

    if ((
    strpos($text'create type')) || (strpos($text'create type') === 0)){
        return 
    false;
    }

    if ((
    strpos($text'create user')) || (strpos($text'create user') === 0)){
        return 
    false;
    }

    if ((
    strpos($text'drop database')) || (strpos($text'drop database') === 0)){
        return 
    false;
    }

    if ((
    strpos($text'drop index')) || (strpos($text'drop index') === 0)){
        return 
    false;
    }

    if ((
    strpos($text'drop table')) || (strpos($text'drop table') === 0)){
        return 
    false;
    }

    if ((
    strpos($text'drop type')) || (strpos($text'drop type') === 0)){
        return 
    false;
    }

    if ((
    strpos($text'drop user')) || (strpos($text'drop user') === 0)){
        return 
    false;
    }

    if ((
    strpos($text'insert into')) || (strpos($text'insert into') === 0)){
        return 
    false;
    }

    if ((
    strpos($text'select from')) || (strpos($text'select from') === 0)){
        return 
    false;
    }

    return 
    true

    My thought process is:
    1.) String to lower so we're not looking for DROP/drop
    2.) If the string doesn't contain ' or " then its not an injection attempt (is that correct? can you inject SQL without ' or "?)
    3.) If it does have a single or double quote, if it also contains drop table, select from, etc then it likely is an attempt.

    I will give users a warning (generic error) then red flag them to prevent false positives and have used a number of other security measures. This is one tool in a tool box.

    I have a bunch of questions but mainly I'm wondering 1.) is this going to pick up injection attempts? and 2.) is there a more efficient way to do this?

    Thanks very much, help is always appreciated.
    Blog: blog
    Projects (Under construction): amorphous_projects
    Twit: amorphous_proj
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 2003
    Posts
    3,493
    Rep Power
    594
    http://www.symantec.com/connect/arti...ipting-attacks

    Comments on this post

    • High Camp disagrees
    • E-Oreo agrees
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2009
    Posts
    147
    Rep Power
    49
    Ah, a valuable link thanks. I never think of regex because I hate it (it's too much work). Definitely good points and I'll incorporate them.

    Thanks again,

    EDIT: Crap, I meant to agree, sorry, now I can't figure out how to change it.
    Last edited by High Camp; November 22nd, 2012 at 09:58 PM.
    Blog: blog
    Projects (Under construction): amorphous_projects
    Twit: amorphous_proj
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    those checks are rather "naive". Even the stupidest script kiddies will hardly try to smuggle in complete queries, because this simply won't work (with the exception of subselects). This would require the web developers and server administrators to be completely insane and either allow multiple statements or send the raw user input directly to the database server.

    Real SQL injections are much more subtle and consist of manipulating existing queries. This also means they're much harder to detect (as you could see in the link). Warning the user for an innocent quote also seems a bit over the top.

    Long story short: I think this should be done by experts who really know what they're doing. A home made solution with some substring checks will hardly do anything but create tons of false positives and useless data.

IMN logo majestic logo threadwatch logo seochat tools logo