Yo,
Is there a site scanner people recommend? To check for SQL injections, XSS and such? I input all my data with mysql_real_escape_string and curently display with htmlentities with bbcode support. But in the next couple of months I plan to release a pretty big project open source and security is key.
- Ian
The best scanner is your self. Write correct code, never pretend to come back to escape any data, do it as you write it.
No sure if there are automatic tools (what I doubt).
(2012-07-16, 07:54 PM)Omar G. Wrote: [ -> ]The best scanner is your self. Write correct code, never pretend to come back to escape any data, do it as you write it.
No sure if there are automatic tools (what I doubt).
Pretty sure there is, I doubt exploiters go through every text box and url to exploit :/
The general rule of thumb is not to trust any input from the user. For the record, the mysql_ functions are pretty outdated. Using them is very bad practise. They get the job done, but they're not the best solution out there. Especially if you're releasing this out to the public. Please consider using PDO. It's much better. Plus you won't have to worry about SQL injection vulnerabilities anymore.
(2012-07-16, 08:03 PM)Paul H. Wrote: [ -> ]This scanner works well: http://tinyurl.com/79lcqxm
:/
(2012-07-16, 08:07 PM)Fábio Maia Wrote: [ -> ]The general rule of thumb is not to trust any input from the user. For the record, the mysql_ functions are pretty outdated. Using them is very bad practise. They get the job done, but they're not the best solution out there. Especially if you're releasing this out to the public. Please consider using PDO. It's much better. Plus you won't have to worry about SQL injection vulnerabilities anymore.
I understand that, but i do not intend to use PDO :/. I would rather find a solution than to change.
To be honest, I would consider change to be a solution. Either way, I have a function somewhere that was made for the mysql_ functions (it's pretty old). It's also reasonably well tested and has passed everything that I've thrown at it. That's not to say it's perfect, but it should work. I'll try and find it for you if you like.
If you pass all input through it (it handles strings, ints, bool, arrays, anything you like), then you should be safe on the SQL side of things.
(2012-07-16, 08:13 PM)Charlie Hadden Wrote: [ -> ]To be honest, I would consider change to be a solution. Either way, I have a function somewhere that was made for the mysql_ functions (it's pretty old). It's also reasonably well tested and has passed everything that I've thrown at it. That's not to say it's perfect, but it should work. I'll try and find it for you if you like.
If you pass all input through it (it handles strings, ints, bool, arrays, anything you like), then you should be safe on the SQL side of things.
Everywhere I go I am told different things, confusing, first i was sold _escape_string worked with everything, then now its PDO, then back to mysql_real_escape_string and now some random function xD
Well, the function that I'm talking about evaluates the type of input and runs it through the appropriate function for that type. For example, ints are run through intval, strings through mysql_real_escape_string, etc.
Your best option would be to go for PDO though. It's a much better solution, even if it does take a while to change to.
I use $db->escape_string(); for strings.
If you are working with MyBB, stick with its default functions. The same with any other script out there.