Haha.. what the hell? Ok, I know this is an older copy of the script I wrote
because I know I took out the "All this does is escape the data" comment and I
KNOW I saw the thing about mysql_escape_string() being deprecated... don't
know why it's still in there. Hah
Thanks for pointing that out. Now off to find my newer version and make sure I
chaned it there too.
-TG
= = = Original message = = =
nooooo !!!
mysql_real_escape_string()
anyhow.. good luck with your security endeavors!
On 8/25/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> I'm pretty amateur at this too, but have done a little reading on the
> subject. Here's some nuggets to ponder while the real experts write their
> responses: :)
>
> 1. Magic quotes + mysql_escape_string = double escaped stuff. I think the
> general opinion is the magic quotes is evil, but I'm sure some people like
> it. I prefer to use mysql_escape_string() since it escapes things more
> specific to MySQL than magic quotes does. Using mysql_escape_string should
> be good enough by itself.
>
> 2. Check data type. If an item is supposed to be an integer, use intval()
> before inserting into the database.
>
> 3. What your SQL statements for variables that can turn your statement into a
> "WHERE 1 = 1" situation that will always return TRUE.
>
> Here's something I've been playing with.. a generic function to sanitize data
> before inserting into the database. You pass it the data and the type of
> data and it'll clean it up. Nice thing about this is I designed it so if you
> say type = "phone" and you process it the same as type = "numeric".. then
> later you decide you want to process "phone" and "numeric" types separately,
> you only have to check this function, not all your lines of code.
>
> If someone has better ways of doing this, I'm all for hearing it. Please
> opine or criticize what I've posted above too. I want to learn as well.
>
> -TG
>
> Code:
>
> <?php
> /**
> *~DBSanitizeData() prepares data for inserting/updating into or selecting from
> * MySQL by making sure that string data is properly escaped so as not to allow
> * 'SQL injection' type security issues from happening. No direct $_POST or
> $_GET
> * data should ever be used in a SQL string.
> *
> * Returns sanitized copy of data sent to it.
> *
> * Current sanitization only performs a mysql_escape_string() function but
> could do
> * more later.
> *
> * Example: $result = mysql_query('INSERT INTO TableName (SomeColumn) VALUES
> (' . DBSanitizeData($_POST['somevar']) . ')');
> *
> * <pre>
> * Modification Log:
> * --------------------------------------------------
> * Created: ~~Trevor Gryffyn - 03/28/2005
> *
> * </pre>
> *
> * @author Trevor Gryffyn <[EMAIL PROTECTED]>
> * @category Database Functions
> *
> */
> function DBSanitizeData($dbdata, $datatype = "alpha")
> switch ($datatype)
> case "binary":
> case "truefalse":
> $trues = array("YES", "Y", "1", "ON", "TRUE", "T");
> $falses = array("NO", "N", "0", "OFF", "FALSE", "F");
> if (in_array(trim(strtoupper($dbdata)), $trues))
> $dbdata = "Y";
> else
> $dbdata = "N";
>
> break;
> case "phone":
> case "numeric":
> case "ssn":
> $dbdata = preg_replace ('/[^\d]+/s', '', $dbdata);
> break;
> case "float":
> case "money":
> case "percent":
> // TODO: Should this be handled with floatval() or something else?
> // Yes.. it probably should. Maybe this is better.
> if (strstr($dbdata, ".") AND trim($dbdata) <> "")
> #$dbdata = (preg_replace ('/[^\d]+/s', '', $dbdata) / 100) . ".00";
> $dbdata = floatval(preg_replace ('/[^\d]+/s', '', $dbdata) / 100);
> else
> #$dbdata = preg_replace ('/[^\d]+/s', '', $dbdata) . ".00";
> $dbdata = floatval(preg_replace ('/[^\d]+/s', '', $dbdata));
>
> break;
>
> case "name":
> case "address":
> $dbdata = ucwords($dbdata);
> break;
> case "state":
> $dbdata = strtoupper($dbdata);
> break;
> case "date":
> $dbdata = date("Y-m-d", strtotime($dbdata));
> if ($dbdata == "1969-12-31") $dbdata = "";
> break;
> case "alpha":
> default:
> // Nothing special, just jump down to the trim/escape
> break;
>
> return trim(mysql_escape_string($dbdata));
>
> ?>
>
> = = = Original message = = =
>
> Greetings all:
>
> Using PHP 4.3.xx and MySQL 4.1 (and 3.xxx sometimes).
>
> I've got a ton of forms that use the $_POST variable to send information into
> the database, and I'm worried about injection attacks.
>
> My server has magic_quotes enabled, which I thought would handle most things,
> but am wondering now if I need to use mysql_escape_string on everything,
> which would mean, of course, a lot of find-and-replace and rewriting.
>
> Also, REGISTER_GLOBALS is turned off, and errors are not shown to the user
> when the site is live.
>
> Any suggestions on how to tighten up the form security, or does magic_quotes
> help enough?
>
> For what it's worth, I've tried to enter things like "pw=''" and other
> simulated attackes using the $_GET method, but haven't been able to crack the
> site. But I'm a noob at that kind of thing, so I try not to get too carried
> away with myself.
>
> Thanks,
> V
>
>
> ___________________________________________________________
> Sent by ePrompter, the premier email notification software.
> Free download at http://www.ePrompter.com.
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
-------------------------------------------------------------------------------
Charles Morris
[EMAIL PROTECTED]
CS Systems Group Old Dominion University
http://www.cs.odu.edu/~cmorris
http://www.cs.odu.edu/cspage/systemstaff.html
------------------------------------------------------------------------------
"Caution! Under no circumstances confuse the mesh with the interleave
operator, except under confusing circumstances!" -- the INTERCAL manual
They that give up essential liberty to obtain
a little temporary safety deserve neither
liberty nor safety. -- Benjamin Franklin, 1759
The only secure computer is one that's unplugged, locked in a
safe, and buried 20 feet under the ground in a secret location...
and i'm not even too sure about that one"--Dennis Huges, FBI.
___________________________________________________________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
