Hello Sobat ST45T, pada kesempataan kali ini ane mau share cara fix Bug SQL Injection di Website ente.
Tips and trick ini sudah 100% teruji oleh ane dan ane jamin tahan sql injection. tapi sebelum itu kalian harus tahu dulu apa itu sql injection ya jembod:v.
SQL Injection
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.
Source : OWASP
Nah sekarang kalian sudah tahukan apa itu sql injection, sudah pasti ini sangat berbahaya karena masuk top 10 Vulnerability di OAWSP hingga sekarang.
SQL Injection
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.
Source : OWASP
Nah sekarang kalian sudah tahukan apa itu sql injection, sudah pasti ini sangat berbahaya karena masuk top 10 Vulnerability di OAWSP hingga sekarang.
How To Patch
Kalian pasti ingin memperbaikinya kan cok? ya pasti lah makanya kalian berkunjung ke blog ini kaowkaowkao:v
1. Klen Coba Buka File yang melakukan Get / Post terhadap database,,, misal.
$id = $_GET['id'];
kalo url bakal seperti ini : .php?id=[id]2. Kita Lakukan Filter di kode tersebut dengan menggunakan fungsi str_replace seperti ini.
$iso = $_GET['id'];$filter = array('concat', 'make_set', 'export_set', '!', 'null', 'and', 'false', 'true', 'sleep', 'or', 'select', 'extractvalue', 'from', 'dual', '-', '+'. '', '%23', '%27', 'by', 'select', 'union', 'order', '(', ')');$replace = "";$id = str_replace($filter, $replace, $iso);
*Jika Terdapat error pada $replace anda bisa menggunakan array seperti ini :$replace = array('', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '');3. Save Filenya
4. Test di server anda seharusnya sudah terprotect dari sql injection (blind, extrackvalue, union based, error based)
*Thanks cok udh berkunjung ke Blog ane,
Ane harap kalian senang dan jangan sungkan sungkan untuk berkunjung ke Blog ini lagi.
0 Komentar