Prepared Statements are the current state of the art. Slashes and html entities are not really used in modern PHP any more. http://www.w3schools.com/php/php_mysql_prepared_statements.asp You should also use mod_security in Apache if that is your webserver. https://www.howtoforge.com/apache_mod_security You should also have an idea of what you plan to accept as input goes. A phone number doesn't need letters or symbols. A name doesn't need symbols. You should perform multiple layers or checking before passing on data from a user. If you have an input for names but they are putting in a ! symbol, you should kick out their input or verify that a Mr. Kickass!! $$CatKisser$$ is using your form. On Wed, Sep 14, 2016 at 7:11 AM, Keith Smith wrote: > > I think this is a great opportunity to talk about sanitizing one's data > before sending it to the DB. > > There is two very easy things one can do if programming in PHP. > > 1) Addslashes - Returns a string with backslashes before characters that > need to be escaped. These characters are single quote ('), double quote > ("), backslash (\) and NUL (the NULL byte). > > 2) htmlentities — Convert all applicable characters to HTML entities - > this will convert any semicolons not enclosed in quotes into it's html > entity. > > http://php.net/manual/en/security.database.sql-injection.php > > Little Bobby Tables : http://php.net/manual/en/image > s/fa7c5b5f326e3c4a6cc9db19e7edbaf0-xkcd-bobby-tables.png > > I do not profess to be an expert in this area. I spent a lot of time > looking into this about 10 years ago and still feel like I need to know > more. I'm always eager to learn more in this area. > > Please add your thoughts? > > Thanks!! > Keith > > > > > > On 2016-09-14 01:41, der.hans wrote: > >> Am 14. Sep, 2016 schwätzte Herminio Hernandez, Jr. so: >> >> Should I be consern even if my SQL server is only listening on localhost? >>> >> >> Depends on what you have using it. >> >> If it's the DB for a web site, then it's possible that SQL injection can >> be used to modify your database. >> >> For instance, WordPress has lots of security issues, so it likely can be >> exploited to use SQL injection to talk to your DB. >> >> ciao, >> >> der.hans >> >> On Mon, Sep 12, 2016 at 1:29 PM, Joseph Sinclair < >>> plug-discussion@stcaz.net> >>> wrote: >>> >>> FYI, minor improvement below to lock down a few edge cases (note, this is >>>> primarily for EXT{2,3,4} and other filesystems that support file >>>> attributes). >>>> You'll also need to remove the attribute manually before updating when >>>> patches become available. >>>> >>>> On 09/12/2016 12:33 PM, der.hans wrote: >>>> >>>>> Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so: >>>>> >>>>> moin moin, >>>>> >>>>> Basically they mirror the repos. So when it hits debian I will upgrade. >>>>>> >>>>> >>>>> Ah, OK. >>>>> >>>>> You might also want to create a couple of empty files and lock them >>>>> down. >>>>> >>>>> $datadir can be exploited, so pre-emptively putting empty conf files in >>>>> there that can't be changed by mysql is a good idea. >>>>> >>>>> The following is for anyone with questions on locking down the config >>>>> files in $datadir. >>>>> >>>>> Presuming $datadir is /var/lib/mysql either of the following will lock >>>>> down the files when run as root, but the first will destroy files you >>>>> might already have. >>>>> >>>>> # >/var/lib/mysq/my.cnf >>>>> # >/var/lib/mysq/.my.cnf >>>>> # chmod 000 /var/lib/mysq/{.,}my.cnf >>>>> >>>> # chattr +i /var/lib/mysq/{.,}my.cnf >>>> >>>>> >>>>> Or, with some minimal verification that it's safe... >>>>> >>>>> # for file in /var/lib/mysq/{.,}my.cnf; do >>>>> if [ ! -e $file ] ; then >>>>> >$file >>>>> chmod 000 $file >>>>> >>>> chattr +i $file >>>> >>>>> ls -l $file >>>>> >>>> lsattr $file >>>> >>>>> else >>>>> ls -l $file >>>>> >>>> lsattr $file >>>> >>>>> echo "You might want to check on that" >>>>> fi >>>>> done >>>>> >>>>> ciao, >>>>> >>>>> der.hans >>>>> >>>>> Sent from my iPhone >>>>>> >>>>>> On Sep 12, 2016, at 12:00 PM, der.hans wrote: >>>>>>> >>>>>>> Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so: >>>>>>> >>>>>>> moin moin, >>>>>>> >>>>>>> Thanks have some SQL in DO droplets. Will be looking for this. >>>>>>>> >>>>>>> >>>>>>> Will DigitalOcean automagically apply the patches for you? >>>>>>> >>>>>>> I would expect it's in their best interest. >>>>>>> >>>>>>> I'm certain DreamHost is already upgraded. GoDaddy is probably >>>>>>> rolling >>>>>>> >>>>>> it >>>> >>>>> out already, but I no longer know anyone on the team over there, so am >>>>>>> >>>>>> not >>>> >>>>> sure how quick they will be. >>>>>>> >>>>>>> This is admittedly one of the advantages of cloud. The infrastructure >>>>>>> providers can centrally test and roll out for everyone. The >>>>>>> >>>>>> disadvantage >>>> >>>>> is if it's something that affects you, but they don't know or care >>>>>>> >>>>>> about >>>> >>>>> it :). >>>>>>> >>>>>>> ciao, >>>>>>> >>>>>>> der.hans >>>>>>> >>>>>>> Sent from my iPhone >>>>>>>> >>>>>>>> On Sep 12, 2016, at 11:18 AM, der.hans wrote: >>>>>>>>> >>>>>>>>> moin moin, >>>>>>>>> >>>>>>>>> a MySQL remote exploit was announced this morning. Percona and >>>>>>>>> >>>>>>>> MariaDB >>>> >>>>> already have fixes that have not yet hit the distros. >>>>>>>>> >>>>>>>>> https://www.percona.com/blog/2016/09/12/percona-server- >>>>>>>>> >>>>>>>> critical-update-cve-2016-6662 >>>> >>>>> >>>>>>>>> http://legalhackers.com/advisories/MySQL-Exploit- >>>>>>>>> >>>>>>>> Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html >>>> >>>>> >>>>>>>>> Watch for updates. >>>>>>>>> >>>>>>>>> ciao, >>>>>>>>> >>>>>>>>> der.hans >>>>>>>>> -- >>>>>>>>> # http://www.LuftHans.com/ http://www.PhxLinux.org/ >>>>>>>>> # Fairy Tale, n.: A horror story to prepare children for the >>>>>>>>> >>>>>>>> newspapers. >>>> >>>>> --------------------------------------------------- >>>>>>>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>>>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>>>>>> >>>>>>>> --------------------------------------------------- >>>>>>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> # http://www.LuftHans.com/ http://www.PhxLinux.org/ >>>>>>> # "You go to Afghanistan and you swallow enough dust that you'll >>>>>>> pass >>>>>>> >>>>>> an >>>> >>>>> # adobe brick." -- Robin Williams, 03Aug2006 >>>>>>> --------------------------------------------------- >>>>>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>>>> >>>>>> --------------------------------------------------- >>>>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>>> >>>>> >>>>> >>>>> >>>>> --------------------------------------------------- >>>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>> >>>>> >>>> >>>> --------------------------------------------------- >>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>> To subscribe, unsubscribe, or to change your mail settings: >>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>> >>>> >>> >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >> > > -- > Keith Smith > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss >