4

I use mysql_real_escape_string() on my variables, but looking through my logs I noticed a stream of input from someone with entries like this:

${@print(md5(acunetix_wvs_security_test))}

1\" or (sleep(4)+1) limit 1 --

and so on. A huge list of them.

Is he just attempting and nothing happening? Or is my code not safe with just mysql_real_escape_string() ?

EDIT: I can't see any damage, but most of the input area's on the site have been attempted many many times. Wouldn't he have stopped if it didn't work once, realizing it was secure?

Improve this question
1
  • Note that mysql_real_escape_string is supposed to be used only for properly escaping strings to be used in MySQL strings. Commented Jan 27, 2013 at 13:29

3 Answers 3

Reset to default
9

These entries come from an Acunetix Web Vulnerability Scanning (see http://www.acunetix.com/vulnerability-scanner/ for more details).

In short this is just a robot that runs over your site and tests for known security issues. As to your question, he is just attempting. Even if your site would be vulnerably, the scanner would not try to break anything, just report the vulnerabilities to the person testing.

Maybe it is a good idea to check the logs again later, because the automatic scan may be an automated information gathering of someone, who then tries to attack your site manually, with the information he got from the automatic scan. But I dont know how critical your application is.

EDIT: No, the scanner would not have stopped. These scanners are not very smart and do not try to learn from previous results. They only work through a list of defined attacks and try them on every input/parameter they can find.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

If someone is interested here I published full list of exploits stokito.wordpress.com/2017/02/23/…
0

It seems like someone is scanning your site with acunetix venerability scanner. Can you see any changes in your database data?. If it is, he is successful.

This tool is very powerful and has designed for find so much of holes on scripts.

It's not enough to depend on mysql_real_escape_string() search more and re-architect the site. There are so much of ways to intrude to a script it's not just mysql injections.

Read more about PHP & MYSQL security.

Improve this answer

3 Comments

I can't see any damage, but most of the input area's on the site have been attempted many many times. Wouldn't he have stopped if it didn't work once, realizing it was secure?
@user1022585 There are numerous things your site could be vulnerable to, and there's probably more than just one input form. So it will try just about every combination ;)
@user1022585 phant0m is right. There are so much of known and still hidden ways to do some hazard or to secretly retrieve data. My advice is for you is. Stop worrying about that use Google to learn about security. When you start to use best practices of the language you are protected. And the key is never stop learning.
-2

If you consistently use mysql_real_escape_string, you should be safe against SQL injections.

Do note that mysql_query is getting deprecated in the future, you shouldn't use it anymore.

Improve this answer

1 Comment

Please do not use mysql_real_escape_string, this might be just as risky. Make sure to always use prepared statements.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.