View Full Version : sql injection through address bar. How can I prevent?
manutdvn
Sun 13th Nov '05, 3:20am
Hello,
I wonder How can I prevent sql injection through address bar?
Marco van Herwaarden
Sun 13th Nov '05, 3:28am
There is only 1 answer to this: By sanitizing all variables from external sources before you use them, and escaping all special characters in character fields.
manutdvn
Sun 13th Nov '05, 3:40am
There is only 1 answer to this: By sanitizing all variables from external sources before you use them, and escaping all special characters in character fields.
Sorry Marco, I donot know much about sql, very new on this. Can you tell me more detail? Thank you so much.
Marco van Herwaarden
Sun 13th Nov '05, 4:38am
This has not mush to do with SQL, more with PHP coding. I suggest you have a read in the HOW-TO forums over at our coding community at www.vbulletin.org (http://www.vbulletin.org).
mbailey
Tue 22nd Nov '05, 11:28pm
Try and install mod_security (http://modsecurity.org) on your server, then write up a ruleset that will block GET requests including strings like "SELECT", "FROM", "UPDATE", "DROP", "Create table", etc.
Make sure to turn off scanning of POST data. If one of your users were to ever post a statement that included any of those strings, they would recieve an error, and wouldn't be able to make that post.
As marco said, you should also make sure your code is secure.
Good luck.
vBulletin® v3.8.0 Beta 3, Copyright ©2000-2008, Jelsoft Enterprises Ltd.