I'm pretty amateur at this too, but have done a little reading on the subject.  
Here's some nuggets to ponder while the real experts write their responses: :)

1. Magic quotes + mysql_escape_string = double escaped stuff.  I think the 
general opinion is the magic quotes is evil, but I'm sure some people like it.  
I prefer to use mysql_escape_string() since it escapes things more specific to 
MySQL than magic quotes does.  Using mysql_escape_string should be good enough 
by itself.

2. Check data type.  If an item is supposed to be an integer, use intval() 
before inserting into the database.

3. What your SQL statements for variables that can turn your statement into a 
"WHERE 1 = 1" situation that will always return TRUE.

Here's something I've been playing with.. a generic function to sanitize data 
before inserting into the database.  You pass it the data and the type of data 
and it'll clean it up.  Nice thing about this is I designed it so if you say 
type = "phone" and you process it the same as type = "numeric".. then later you 
decide you want to process "phone" and "numeric" types separately, you only 
have to check this function, not all your lines of code.

If someone has better ways of doing this, I'm all for hearing it.  Please opine 
or criticize what I've posted above too.  I want to learn as well.



*~DBSanitizeData() prepares data for inserting/updating into or selecting from
* MySQL by making sure that string data is properly escaped so as not to allow
* 'SQL injection' type security issues from happening. No direct $_POST or 
* data should ever be used in a SQL string.
* Returns sanitized copy of data sent to it.
* Current sanitization only performs a mysql_escape_string() function but could 
* more later.
* Example: $result = mysql_query('INSERT INTO TableName (SomeColumn) VALUES (' 
. DBSanitizeData($_POST['somevar']) . ')');
* <pre>
* Modification Log:
* --------------------------------------------------
* Created: ~~Trevor Gryffyn - 03/28/2005
* </pre>
* @author Trevor Gryffyn <[EMAIL PROTECTED]>
* @category Database Functions
  function DBSanitizeData($dbdata, $datatype = "alpha") {
    switch ($datatype) {
      case "binary":
      case "truefalse":
        $trues = array("YES", "Y", "1", "ON", "TRUE", "T");
        $falses = array("NO", "N", "0", "OFF", "FALSE", "F");
        if (in_array(trim(strtoupper($dbdata)), $trues)) {
          $dbdata = "Y";
        } else {
          $dbdata = "N";
      case "phone":
      case "numeric":
      case "ssn":
        $dbdata = preg_replace ('/[^\d]+/s', '', $dbdata);
      case "float":
      case "money":
      case "percent":
        // TODO: Should this be handled with floatval() or something else?
        //       Yes.. it probably should. Maybe this is better.
        if (strstr($dbdata, ".") AND trim($dbdata) <> "") {
          #$dbdata = (preg_replace ('/[^\d]+/s', '', $dbdata) / 100) . ".00";
          $dbdata = floatval(preg_replace ('/[^\d]+/s', '', $dbdata) / 100);
        } else {
          #$dbdata = preg_replace ('/[^\d]+/s', '', $dbdata) . ".00";
          $dbdata = floatval(preg_replace ('/[^\d]+/s', '', $dbdata));
      case "name":
      case "address":
        $dbdata = ucwords($dbdata);
      case "state":
        $dbdata = strtoupper($dbdata);
      case "date":
        $dbdata = date("Y-m-d", strtotime($dbdata));
        if ($dbdata == "1969-12-31") $dbdata = "";
      case "alpha":
        // Nothing special, just jump down to the trim/escape
    return trim(mysql_escape_string($dbdata));

= = = Original message = = =

Greetings all:

Using PHP 4.3.xx and MySQL 4.1 (and 3.xxx sometimes).

I've got a ton of forms that use the $_POST variable to send information into 
the database, and I'm worried about injection attacks.

My server has magic_quotes enabled, which I thought would handle most things, 
but am wondering now if I need to use mysql_escape_string on everything, which 
would mean, of  course, a lot of find-and-replace and rewriting.

Also, REGISTER_GLOBALS is turned off, and errors are not shown to the user when 
the site is live.

Any suggestions on how to tighten up the form security, or does magic_quotes 
help enough?

For what it's worth, I've tried to enter things like "pw=''" and other 
simulated attackes using the $_GET method, but haven't been able to crack the 
site. But I'm a noob at that kind of thing, so I try not to get too carried 
away with myself.


Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to