(adsbygoogle = window.adsbygoogle || []).push({}); Intro

---

I know recently some people on here (namely GTA guys) have been setting up sites to sell their tools or menus on. Most of them use databases and when it comes to databases, you need to know about one of (if not the most) common exploits out there: SQL injection. Below I'll be explaining what this is, and the best way to prevent against this attack.

Basic SQLi techniques

---

SQL injection in layman's terms is where unchecked, or unsanitized, user input is inserted into a SQL query and then executing it no matter what is in it. Say for example we have some key check script that accepts 1 parameter:

    

https://www.tusticles.com/check.php?key=SOME-KEY-HERE

With some URL like this, you can expect check.php to contain something like so:

    

if (isset($_GET['key']))

{

   $query = "SELECT * FROM `users` WHERE `key` = '".$_GET['key']."'";

}

This right here is a very bad thing because, as I mentioned, we're just trusting the user to actually input some legitimate key value and call it a day. We're not that lucky, are we?

An example of this exploit would be:

    

https://www.tusticles.com/check.php?key=hello' OR 1=1--

What this is doing will look like this when passed unsanitized into a query string:

    

if (isset($_GET['key']))

{

   $query = "SELECT * FROM `users` WHERE `key` = 'hello' OR 1=1--'";

}

The -- at the end of the query basically makes anything after it a comment, thus making it do nothing. What is happening here is we're telling the database that we're looking for any key that equals hello OR if 1 = 1, which is obviously always going to be true so it'll just select every single entry in our database. Bad news! You can do much more devastating things, like deleting rows or dropping the entire database if the script uses root to access the database or uses a user with all global permissions.


Prepared queries

---

The best way to sanitize user inputs is to, well, not do it at all! Rather than directly inserting user input into the query or relying on some function/regex to remove any malicious characters, we're going to prepare our statements. Using this method will make it literally impossible to use SQL injection to steal info from your database. Note that this isn't the only method, as there's other functions you can use like mysqli and probably tons of third party libraries.

What we'll be using is PDO which will create an object that you can use to execute queries and modify your database securely. We'll start by connecting to our database of choice:

    

$db_host = "localhost";

$db_user = "tustin";

$db_password = "my_much_more_secure_password";

$database_name = "tutorial";



$pdo = new PDO("mysql:host=".$db_host.";dbname=".$database_name, $db_user, $db_password);

You should probably wrap this in a try/catch just to make sure it's working correctly. Now that we've created our database object, we can start making queries. I mentioned above that we're not manually sanitizing user input, but rather preparing our statements using parameters in the query which we will replace later. This basically says "we're only executing this one query and NOTHING ELSE", so that way mysql won't be tricked into running multiple queries in one.

    

//remember our database object is $pdo

if (isset($_GET['key'])) {

$q = "SELECT * FROM `users` WHERE `key` = :key";

$query = $pdo->prepare($q);

$query->execute( array( 'key'=>$_GET['key']) );

}

WOW! What's happening here? Well, like I said above, when we create our query, we will be setting parameters which will be replaced by the actual values later on. In this case, our variable is :key. Note the colon before the parameter name. You can use any name you want and you can also use question marks although I think the named parameters are much cleaner and easier to read.

All we're doing in the first line is storing our query in a variable to make things cleaner. The next line is where we tell the database about only running this one query and nothing more, no matter what is inputted by the user. This result is stored in our $query variable, which will then be used to execute it, grab the result(s), row count and whatever else.

The execute function is where we set our parameters to whatever value we need to. Alternatively, you can use the function bindParam, but you need to run this function based on however many parameters you have set which can be annoying. Instead I like to construct it as an array in the execute function. We create the array (using array()), then for each parameter we've made, we create a key for it (NOT to be confused with the actual parameter name we used, but a key as in the identifier of a value in the array) and then we set a value to it using =>. Below is an example of doing this with multiple parameters.

    

if (isset($_GET['key'], $_GET['username'])) {

$q = "SELECT * FROM `users` WHERE `key` = :key AND `username` = :username";

$query = $pdo->prepare($q);

$query->execute( array( 'key'=>$_GET['key'], 'username'=>$_GET['username']) );

}

Same as above, but this time we check for both a key and a username.

Now how about we get the result from it?

    

if (isset($_GET['key'], $_GET['username'])) {

$q = "SELECT * FROM `users` WHERE `key` = :key AND `username` = :username";

$query = $pdo->prepare($q);

$query->execute( array( 'key'=>$_GET['key'], 'username'=>$_GET['username']) );

$data = $query->fetch();



echo $data['username'];

}

To grab 1 row, you can use the fetch() function. This will return an array of each column in the row you selected. For multiple results, use fetchAll(). You can store this row in a variable like I did with $data and then access whichever value you want by using the column name as the key like I did in the very last line where I echo out the username.

Let's build the final script to check if a key is legit!

    

$db_host = "localhost";

$db_user = "tustin";

$db_password = "my_much_more_secure_password";

$database_name = "tutorial";



//create our database object

$pdo = new PDO("mysql:host=".$db_host.";dbname=".$database_name, $db_user, $db_password);



if (isset($_GET['key'])) {

$q = "SELECT * FROM `users` WHERE `key` = :key";

$query = $pdo->prepare($q);

$query->execute( array( 'key'=>$_GET['key']) );

if ($query->rowCount() > 0)

 die("verified BITCH!");

else

 die("get the FUCK OUT!");

}

We do the same stuff as before, but then we check if the rows found is greater than 0, which means if it was found, show the verified message and then kill the script. Otherwise tell them it's invalid and kill the script. Obviously you'll probably want to make it cleaner and not kill the script but instead have some nice page set up to tell them it's invalid or successful.

Fin

---

Breathe in, breathe out. It's a lot to take in especially if you're new to PHP and MYSQL but seriously, if you're wanting to safely store user information and keep your site secure, you NEED to take the time to learn about this and set it up properly. Feel free to post a comment below if you're confused about anything or just need help.

If you'd like to see more useful tutorials on security things, let me know!

tl;dr

This SHIT got me banned from GTA ONLINE for 420 weeks thanks ASSHOLE

To be honest the thread was great maybe some people can learn from this and better their self on PHP and secure databases jk thread was shiet

You're just jealous I'm helping fight against the only exploit you know how to abuse

Also that's my donkey unicorn.

Please do not use offensive language. It is against the NextGenUpdate rules to swear like that. Its considered flamming. Consider yourself warned, mister. Next time is an automatic ban for 9999 years.

I know a lil Xss :blank: not enough tho
Also tew bad :blank:

XSS will be my next tutorial. Then CSRF .

Nice :yes:
Been learning HTML For a while now
Gonna start PHP, im sure it will come in handy :yes:

Instructions not clear enough, dick is now stuck in SQL database.


Pls halp