2
Hello! I’m going through a rough patch, I’ve tried ALL the techniques I found on the Internet that can stop SQL Injection, and yet Havij can get my data.
This is the code of the page I’m making the attack on:
$id = mysql_real_escape_string($_GET['id']);
$sql = $id;
$sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|or|=|#|\*|--|\\\\)/"),"",$sql);
$sql = trim($sql);
$sql = strip_tags($sql);
$sql = addslashes($sql);
$id = $sql;
$id = intval($id);
// Connect to the database
$mysqli = new mysqli($MySQL_HOST, $MySQL_USER, $MySQL_USER_PASS, $MySQL_DB) or die("Erro ao conectar ao bando de dados");
// Prepare the query
$sql = $mysqli->prepare('SELECT autor, noticia, data, titulo, tipo, logo FROM noticias WHERE id = ?') or die("erro ao preparar consulta");
// Bind the parameter, i --> int, datatype of column
$sql->bind_param('i', $id);
// Execute SQL
$sql->execute() or die("erro ao executar consulta");
$sql->bind_result($autor, $noticia, $data, $titulo, $tipo, $imagem);
$sql->fetch();
$sql->close();
I’ve even tried to take the direct parameter of the sql query, replacing it with a fixed number. I’ve tried to take out the search line, take out the connection line, and even BOTH! The site doesn’t even work but havij attacks like crazy! There’s no logic to it!
And to make matters worse, I activated the sql logs thinking that he could be taking the connection alone and sending the prompts by himself or another page, and all the answer I have is that he does half a dozen searches on the table with the id 999999, nothing different. Now as a program grabs my entire database with half a dozen Selects in a nonexistent id?
If you take the connection line, there is no way the tool can inject SQL through that page. She may have saved her access data from a previous attempt that worked.
– bfavaretto
Your SQL log should not be picking up all queries. Try using a different SQL monitor and monitor! Try changing the database password in case it has your connection data.
– Renatto Machado