|
08-22-2004, 08:53 AM
|
#1 (permalink) |
|
Junkie
Location: RI
|
[C] Preventing SQL Injection
k, so I'm running a MUD with a MySQL backend and I've had a total brain fart. I'm trying to write a function that'll check the string going to the db to make sure that it doesn't contain any nasties in it that'll cause the db to go boom. I've tried strchr to check for a ;. I've thought about comparing, but that won't work because I just need it to get one dinky little part. Any idea on how I can do this? Thanks.
|
|
|
08-23-2004, 05:06 AM
|
#2 (permalink) |
|
Insane
|
Hmm, this poses an interesting problem. What if the person really wanted to "drop table"?
 I would remedy the situation by having a configurable table prefix. Let's say you had a table in your database named "items"... you could then prefix it with "blah_" so that the user would have to know what your table names are beforehand in order for them to attack your website. I would also check for things like "drop table" or "drop database" (on the other hand, if your MUD has a sci-fi theme, there could very well be items called "database" as I mentioned before) in an array of disallowable commands, nouns, verbs, etc. Don't forget to escape your SQL string before you send it to the database... that's one of the worst mistakes you can make. In general, you just need to watch strings when they get pushed to the database. About the ; : You have to make sure what type of MUD client (if applicable) the user is running. Not detecting version per se, but what if your MUD allows someone to piggy-back their commands on one line? move north; drop sword; move east; fight imp I suggest you tokenize your MUD command (I think for an application as a MUD you probably are already anyway) and set the ; as a delimeter. Your MUD may allow this, or the MUD client may allow them to do it (usually before it sends its buffer to your MUD) by tokenizing the string and sends the tokens separately itself to your MUD. strtok(3) is a good function to use, but strsep(3) obseleted it. Both may have issues with non-NULL terminated strings, I don't know. You may want to check out a C reference, or if you're feeling adventurous, write your own. Some food for thought.
__________________
"You looked at me as if I was eating runny eggs in slow motion." - Gord Downie of The Tragically Hip |
|
|
|
08-23-2004, 06:29 AM
|
#3 (permalink) |
|
Junkie
Location: RI
|
Well, generally most of the clients I have encountered will take the ; and split it to multiple commands although, you're point about splitting something into two commands if there is a ; would be a handy-dandy thing to have for users who don't have a client that can handle that...
As it stands, I got a strchr function running on each string that is getting sent to the database and has a value that may contain characters. If the check returns a postive value, it sends a message to the user that part of their file contains an illegal character and that they've been reported to the staff and it sends a query to a database stating that said user has a string in their file that is questionable. I am tempted though to create an array of banned words and search through the database, but I don't know if I really want to go through with that... |
|
|
| Tags |
| injection, preventing, sql |
|
|
![[C] Preventing SQL Injection](/tfp/iconimages/tilted-technology/c-preventing-sql-injection_ltr.gif)
