SQL Injection Defense – Part I (Authentication)

Dave — Wed, 27 Sep 2006 11:31:00 +0000

I want to do a couple of posts on SQL injection attack prevention. I
am going to show some of the techniques I use to ward them off. For example,
we use a three pronged approach at
the authentication point: variable binding, row counting, and syntax
detection. When a username and password are entered on the login form
we check to make sure that there is nothing obviously wrong with the
input, like password being of acceptable length and such. The next
thing we do is check to make sure there is no known SQL syntax within
the username or password. For example, if someone inputs a password
like this:


’ OR 1=1

it will get rejected at this step. All of the SQL keywords are
stored in big lookup table and checked against. The next step then is
to bind the variables instead of passing them in as plain strings. This
is a crucial step to avoid SQL injection. So instead of:


$sql="SELECT * FROM users WHERE username="$username" AND 
password="$password" LIMIT 1

we use:


$sql="SELECT * FROM users WHERE username=? AND password=? LIMIT 1
$sth=$dbh->prepare($sql);
$sth->execute($username,$password);

The final thing we do is check the row count of the result set. Even
though we used “LIMIT 1″, if there is an injection going on then we must
assume that it has been changed. Be sure and check that you have a row
count that is sane for the operation you are performing. If you are
logging someone in then you should return an error if the result count
is 0 or greater than 1, like this:


die unless($sth->rows() eq 1);

Next time I’ll focus on SQL injection that happens beyond the front
gate. Sometimes you can’t be so strict on row counts and syntax checks
once a user is inside.

Backing up a MySQL Database

Dave — Thu, 27 Jul 2006 15:59:00 +0000

Here is a good script for backing up a MySQL database nightly in a cron job. We use it here and run it from the root user’s cron job. It just keeps a rotating set of backups and shoots you an e-mail with the results each night. Before you install the script create however many days worth of backup files you want to keep. For instance if you want to always have 5 days worth of backups on hand, execute these commands as root:

# touch /root/mysql-nightly1.sql
# touch /root/mysql-nightly2.sql
# touch /root/mysql-nightly3.sql
# touch /root/mysql-nightly4.sql
# touch /root/mysql-nightly5.sql

Here is the script:

#!/bin/sh

##: Go home
cd /root

##: Keep five days of backups on hand
dumpfile=(`ls -1tr mysql-nightly?.sql`)
dbserver=’localhost’
dbadmin=’you@domain.com’

mysqldump --host=$dbserver --user=user --password=password \
 --all-databases > ${dumpfile[0]}
if [ $? -eq 0 ]; then
  echo "Successfully dumped MySql database from $dbserver."\
   | mail -s "INFO: MYSQL DATABASE DUMPED" $dbadmin
else
  echo "Error dumping MySql database from $dbserver." \
   | mail -s "ALERT: ERROR DUMPING MYSQL" $dbadmin
fi

##: Restart the database server
/sbin/service mysqld restart

cd -

Here is the cron job entry:

18 21 * * * /root/backup-database.sh > /dev/null

Southern Bread » sql

SQL Injection Defense – Part I (Authentication)

Backing up a MySQL Database