/    Sign up×
Community /Pin to ProfileBookmark

How do you fail from sql injection or other attacks?

I have a site that gets quite a few hits from sql injection attempts or attempts to find uri’s like /wp-login.php or other presumably soft targets. I end up trapping much of this in my php header code, and just die() when I catch them. I’m wondering whether there’s a better way to handle them, that might tell the (presumably automated) bot something like a 500 server internal error, that could have a chance of deciding to stop poking me.

to post a comment
PHP

6 Comments(s)

Copy linkTweet thisAlerts:
@NogDogOct 14.2019 — If was going to worry about them at all, I'd probably just send a 404 via header() right before die()-ing. If a "not found" does not discourage a bot, then I don't know why any other header would. 🤷
Copy linkTweet thisAlerts:
@tracknutauthorOct 14.2019 — Thanks NogDog, I was thinking "look, there isn't even a live server here" might be more of a message than "we got your request, rummaged around, and couldn't find the specific thing you asked for" might somehow be a stronger message.

You say "If I was going to worry about them at all..." - do you have a general routine of sanitizing query string parameters that you stick at the top of your code? I so, what do you do with the rejects? Or if not, where do the parameters get dealt with?
Copy linkTweet thisAlerts:
@NogDogOct 14.2019 — Can't say I really have any general rule, other than I always use DB prepared statements with bound parameters for any external values to ensure no SQL injection. Otherwise it's mostly case-specific validation/filtering for incoming parameters. (Cast numeric values to integer or float, trim() string values and apply an applicable filter_var() validation or sanitizing filter or custom filter in weird edge cases.)
Copy linkTweet thisAlerts:
@tracknutauthorOct 14.2019 — So as an example, you get a request that looks like (assume no security needed):

http://movie.info?movie=Star Wars and 1=1

Your process of filtering would typically see this and report a clean error via popup or some such thing, back to the user that tells him this movie doesn't exist, yes? So the errors are treated the same as typos, even though you might know they are hacking attempts and are from bots, not people.

[edit: that's not a real link, just an example. I couldn't figure out how not to have the forum actually link to it]

[edit 2: Pretend you do client stuff too for this example, sorry :) ]
Copy linkTweet thisAlerts:
@NogDogOct 14.2019 — If someone were trying to inject SQL, they might try to set "movie" to (using applicable URL-encoded characters) **Star Wars' or 1=1;--** (an attempt to view every record in that table). By using a prepared statement with bound parameters...
<i>
</i>$sql = 'select * from movies where title = :title';
$stmt = $pdo-&gt;prepare($sql);
$stmt-&gt;execute(array(':title' =&gt; $_GET['title']));

...the PDO magic would escape that string, so that characters that have special meaning in SQL are escaped, in particular the quote character for this example. In this case, your query would presumably not match anything, since you probably do not have a movie by that name. :) Nothing would "fail", they just wouldn't get any results, and their attempt to view every record in the DB would come to nought.
Copy linkTweet thisAlerts:
@tracknutauthorOct 14.2019 — Gotcha, thanks NogDog
×

Success!

Help @tracknut spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 3.29,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,

tipper: @Samric24,
tipped: article
amount: 1000 SATS,

tipper: Anonymous,
tipped: article
amount: 10 SATS,
)...