Skip to main content

Posts

Showing posts from 2012

How to prevent mysql sleep injections?

Recently, we faced an issue with website which was developed around one year back. One hacker successfully tried to slow the website using sleep injection . Although we were using precautions like mysqli_real_escape_string() for escaping SQL string syntax correctly . Let’s see why this happened then and what are the solutions? We were using following code to get product id passed through query string. $id   = mysqli_real_escape_string($con , (isset($_REQUEST['id']) ? $_REQUEST['id'] : 0)); $qry = "Select * from products where id = ".$id; but hacker tried to change the the query string as :  ?id=3 and sleep(4) and query becomes Select * from products where id = 3 and sleep(4); And it started taking around 4+seconds to run the query. So in this way website become too slow. We were trying to figure out the possible and the best solution. After spending some time we noticed that although we were using mysql

Trim All Posted Variables in PHP

Quick tip to trim all posted variables in PHP. <?php                          array_walk($_POST, 'trim_posted_variables');                        /**             * function to trim all the posted variables.             *             * $param : value - as we are using array_walk function, first parameter             * in the used function should be value.             * index - second parameter should be key or index.              */                         function trim_posted_variables($value, $index){                   $_POST[$index] = trim($value);                 } ?> Thanks!!!!!!!!!!!! Enjoy Programming :)