php-general Digest 8 May 2009 12:07:17 -0000 Issue 6110
Topics (messages 292388 through 292395):
Re: SQL Injection - Solution
292388 by: Eric Butera
292389 by: Shawn McKenzie
292390 by: Michael Shadle
Re: speaking of control structures...
292391 by: Clancy
[email protected], Tim-Hinnerk Heuer has invited you to open a Google
mail account
292392 by: Tim-Hinnerk Heuer
bcmath integer type?
292393 by: Michael A. Peters
292394 by: Michael A. Peters
292395 by: Robert Cummings
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
On Thu, May 7, 2009 at 9:41 AM, Igor Escobar <[email protected]> wrote:
> Ok guys, thanks.
>
>
> Regards,
> Igor Escobar
> Systems Analyst & Interface Designer
>
> --
>
> Personal Blog
> ~ blog.igorescobar.com
> Online Portifolio
> ~ www.igorescobar.com
> Twitter
> ~ @igorescobar
>
>
>
>
>
> On Thu, May 7, 2009 at 7:32 AM, Jan G.B. <[email protected]> wrote:
>
>> What about declare, cast, unhex, exec etc.?
>> You Replace everything with "" isn't so good, I believe. Others
>> mentiond it before, that *, =, select, from ETC. are valid words and
>> characters in an other context.
>>
>> Anayse some attacks before trying to defend them. Injections can be
>> heavily db-dependent, so filtering the common words might not be so
>> insightful.
>>
>> If you really want to go the filter approach, then check out this
>> project and learn from them. ;)
>> http://php-ids.org/
>>
>>
>> byebye
>>
>> 2009/5/6 Igor Escobar <[email protected]>:
>> > Yeah yeah, i understood that, but, the point is... i sad previously, my
>> > function is not tied to any database.
>> >
>> > Is a generic function, i dont know who be use this, so i don't know, what
>> is
>> > your data base so, i can't use functions like mysql_real_scape_string
>> etc...
>> >
>> >
>> > Regards,
>> > Igor Escobar
>> > Systems Analyst & Interface Designer
>> >
>> > --
>> >
>> > Personal Blog
>> > ~ blog.igorescobar.com
>> > Online Portifolio
>> > ~ www.igorescobar.com
>> > Twitter
>> > ~ @igorescobar
>> >
>> >
>> >
>> >
>> >
>> > On Wed, May 6, 2009 at 3:00 PM, Bruno Fajardo <[email protected]>
>> wrote:
>> >
>> >> 2009/5/6 Igor Escobar <[email protected]>:
>> >> > hun...by the way.... I forgot to mention, I am Brazilian and here in
>> >> Brazil
>> >> > these words are not common ...
>> >>
>> >> Igor,
>> >>
>> >> I'm brazilian too, but that is not the point. Deny the use of *any*
>> >> word as input in your app is unnecessary. The problem that you're
>> >> trying to solve, has been solved a long time ago.
>> >>
>> >> Bruno.
>> >>
>> >> >
>> >> > That is a recursive function and i can use array_map becouse i some
>> cases
>> >> we
>> >> > obtain arrays of arrays and that will generate a error.
>> >> >
>> >> >
>> >> > Regards,
>> >> > Igor Escobar
>> >> > Systems Analyst & Interface Designer
>> >> >
>> >> > --
>> >> >
>> >> > Personal Blog
>> >> > ~ blog.igorescobar.com
>> >> > Online Portifolio
>> >> > ~ www.igorescobar.com
>> >> > Twitter
>> >> > ~ @igorescobar
>> >> >
>> >> >
>> >> >
>> >> >
>> >> >
>> >> > On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie <[email protected]>
>> >> wrote:
>> >> >
>> >> >> Igor Escobar wrote:
>> >> >> > Hunnn...
>> >> >> >
>> >> >> > So, what do you think now?
>> >> >> >
>> >> >> > function _antiSqlInjection($Target){
>> >> >> > $sanitizeRules =
>> >> >> > array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
>> >> >> > TABLE','SHOW TABLES','*','--','=');
>> >> >> > foreach($Target as $key => $value):
>> >> >> > if(is_array($value)): $arraSanitized[$key] =
>> >> >> > _antiSqlInjection($value);
>> >> >> > else:
>> >> >> > $arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
>> >> >> > addslashes(str_ireplace(trim($sanitizeRules,"",$value))) :
>> >> >> > str_ireplace(trim($sanitizeRules,"",$value));
>> >> >> > endif;
>> >> >> > endforeach;
>> >> >> > return $arraSanitized;
>> >> >> > }
>> >> >> >
>> >> >> Stay on list please. I don't like the ternary or the brace omissions
>> >> >> (alternate syntax) :-) however....
>> >> >>
>> >> >> My point was that in my opinion you don't need the replace at all.
>> >> >> Also, do you really want to strip all 'or', * and = from all fields?
>> >> >> These may be perfectly valid in your app. Or is a very, very common
>> >> >> word, so is from and come to think of it, where, select, insert and
>> >> delete.
>> >> >>
>> >> >> For any of the SQL injections to work in your query, there will need
>> to
>> >> >> be quotes or the backtick ` in the user supplied content. The quotes
>> >> >> are escaped by mysql_real_escape_string().
>> >> >>
>> >> >> I don't see any way for a SQL injection without the user input
>> >> >> containing quotes or the backtick to break out of your query or
>> >> >> prematurely terminate an expression. Some examples here, however
>> they
>> >> >> don't mention the backtick:
>> >> >> http://us2.php.net/manual/en/security.database.sql-injection.php
>> >> >>
>> >> >> This might be more useful:
>> >> >>
>> >> >> ||||||function _antiSqlInjection($Target)
>> >> >> {
>> >> >> if(is_array($Target)) {
>> >> >> $Value = array_map('_antiSqlInjection', $Target);
>> >> >> } else {
>> >> >> if(get_magic_quotes_gpc()) {
>> >> >> $Target = stripslashes($Target);
>> >> >> }
>> >> >> // replace backtick with single quote or whatever
>> >> >> $Target = str_replace("`", "'", $Target);
>> >> >> $Value = mysql_real_escape_string($Target);
>> >> >> }
>> >> >> return $Value;
>> >> >> }
>> >> >>
>> >> >> Thanks!
>> >> >> -Shawn
>> >> >>
>> >> >>
>> >> >>
>> >> >
>> >>
>> >
>>
>
Use prepared statements. All your problems go away. Look at mysqli/PDO.
--- End Message ---
--- Begin Message ---
Eric Butera wrote:
> On Thu, May 7, 2009 at 9:41 AM, Igor Escobar <[email protected]> wrote:
>> Ok guys, thanks.
>>
>>
>> Regards,
>> Igor Escobar
>> Systems Analyst & Interface Designer
>>
>> --
>>
>> Personal Blog
>> ~ blog.igorescobar.com
>> Online Portifolio
>> ~ www.igorescobar.com
>> Twitter
>> ~ @igorescobar
>>
>>
>>
>>
>>
>> On Thu, May 7, 2009 at 7:32 AM, Jan G.B. <[email protected]> wrote:
>>
>>> What about declare, cast, unhex, exec etc.?
>>> You Replace everything with "" isn't so good, I believe. Others
>>> mentiond it before, that *, =, select, from ETC. are valid words and
>>> characters in an other context.
>>>
>>> Anayse some attacks before trying to defend them. Injections can be
>>> heavily db-dependent, so filtering the common words might not be so
>>> insightful.
>>>
>>> If you really want to go the filter approach, then check out this
>>> project and learn from them. ;)
>>> http://php-ids.org/
>>>
>>>
>>> byebye
>>>
>>> 2009/5/6 Igor Escobar <[email protected]>:
>>>> Yeah yeah, i understood that, but, the point is... i sad previously, my
>>>> function is not tied to any database.
>>>>
>>>> Is a generic function, i dont know who be use this, so i don't know, what
>>> is
>>>> your data base so, i can't use functions like mysql_real_scape_string
>>> etc...
>>>>
>>>> Regards,
>>>> Igor Escobar
>>>> Systems Analyst & Interface Designer
>>>>
>>>> --
>>>>
>>>> Personal Blog
>>>> ~ blog.igorescobar.com
>>>> Online Portifolio
>>>> ~ www.igorescobar.com
>>>> Twitter
>>>> ~ @igorescobar
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, May 6, 2009 at 3:00 PM, Bruno Fajardo <[email protected]>
>>> wrote:
>>>>> 2009/5/6 Igor Escobar <[email protected]>:
>>>>>> hun...by the way.... I forgot to mention, I am Brazilian and here in
>>>>> Brazil
>>>>>> these words are not common ...
>>>>> Igor,
>>>>>
>>>>> I'm brazilian too, but that is not the point. Deny the use of *any*
>>>>> word as input in your app is unnecessary. The problem that you're
>>>>> trying to solve, has been solved a long time ago.
>>>>>
>>>>> Bruno.
>>>>>
>>>>>> That is a recursive function and i can use array_map becouse i some
>>> cases
>>>>> we
>>>>>> obtain arrays of arrays and that will generate a error.
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> Igor Escobar
>>>>>> Systems Analyst & Interface Designer
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Personal Blog
>>>>>> ~ blog.igorescobar.com
>>>>>> Online Portifolio
>>>>>> ~ www.igorescobar.com
>>>>>> Twitter
>>>>>> ~ @igorescobar
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie <[email protected]>
>>>>> wrote:
>>>>>>> Igor Escobar wrote:
>>>>>>>> Hunnn...
>>>>>>>>
>>>>>>>> So, what do you think now?
>>>>>>>>
>>>>>>>> function _antiSqlInjection($Target){
>>>>>>>> $sanitizeRules =
>>>>>>>> array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
>>>>>>>> TABLE','SHOW TABLES','*','--','=');
>>>>>>>> foreach($Target as $key => $value):
>>>>>>>> if(is_array($value)): $arraSanitized[$key] =
>>>>>>>> _antiSqlInjection($value);
>>>>>>>> else:
>>>>>>>> $arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
>>>>>>>> addslashes(str_ireplace(trim($sanitizeRules,"",$value))) :
>>>>>>>> str_ireplace(trim($sanitizeRules,"",$value));
>>>>>>>> endif;
>>>>>>>> endforeach;
>>>>>>>> return $arraSanitized;
>>>>>>>> }
>>>>>>>>
>>>>>>> Stay on list please. I don't like the ternary or the brace omissions
>>>>>>> (alternate syntax) :-) however....
>>>>>>>
>>>>>>> My point was that in my opinion you don't need the replace at all.
>>>>>>> Also, do you really want to strip all 'or', * and = from all fields?
>>>>>>> These may be perfectly valid in your app. Or is a very, very common
>>>>>>> word, so is from and come to think of it, where, select, insert and
>>>>> delete.
>>>>>>> For any of the SQL injections to work in your query, there will need
>>> to
>>>>>>> be quotes or the backtick ` in the user supplied content. The quotes
>>>>>>> are escaped by mysql_real_escape_string().
>>>>>>>
>>>>>>> I don't see any way for a SQL injection without the user input
>>>>>>> containing quotes or the backtick to break out of your query or
>>>>>>> prematurely terminate an expression. Some examples here, however
>>> they
>>>>>>> don't mention the backtick:
>>>>>>> http://us2.php.net/manual/en/security.database.sql-injection.php
>>>>>>>
>>>>>>> This might be more useful:
>>>>>>>
>>>>>>> ||||||function _antiSqlInjection($Target)
>>>>>>> {
>>>>>>> if(is_array($Target)) {
>>>>>>> $Value = array_map('_antiSqlInjection', $Target);
>>>>>>> } else {
>>>>>>> if(get_magic_quotes_gpc()) {
>>>>>>> $Target = stripslashes($Target);
>>>>>>> }
>>>>>>> // replace backtick with single quote or whatever
>>>>>>> $Target = str_replace("`", "'", $Target);
>>>>>>> $Value = mysql_real_escape_string($Target);
>>>>>>> }
>>>>>>> return $Value;
>>>>>>> }
>>>>>>>
>>>>>>> Thanks!
>>>>>>> -Shawn
>>>>>>>
>>>>>>>
>>>>>>>
>
> Use prepared statements. All your problems go away. Look at mysqli/PDO.
RTFP! ;-)
He has no idea what DB will be used.
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
On Thu, May 7, 2009 at 4:28 PM, Shawn McKenzie <[email protected]> wrote:
> RTFP! ;-)
>
> He has no idea what DB will be used.
Wouldn't that be a better argument -for- using PDO? :)
--- End Message ---
--- Begin Message ---
On Thu, 07 May 2009 09:33:00 -0400, [email protected] (Tom Worster) wrote:
>On 5/6/09 9:31 PM, "Clancy" <[email protected]> wrote:
>
>> I can understand your reluctance to disregard your mother's advice, but
>> unfortunately she
>> had been brainwashed to accept the dogma of the day.
>
>actually, i don't believe so. she did numerical work so she continued using
>fortran and therefore gotos for the rest of her life. i think she just
>didn't like goto. moreover, she was never dogmatic on any topic, it wasn't
>in her nature.
>
>anyway, how do you know how she came by her opinions?
>
I did not say your mother was dogmatic; but clearly she had accepted the dogma
of the day,
as there is no rational reason to avoid the goto. Assuredly the goto can be
misused, but
this attitude is rather like that of my wife, who is extremely reluctant to use
my sharp
kitchen knives 'because they are dangerous', and insists on using her own worn
out
implements that are barely suitable for buttering toast. I know my knives are
dangerous --
the odd bit of finger occasionally sneaks into the dinner -- but they are
essential to do
the job properly, and in my opinion the goto comes in the same category.
Another very useful feature of my original program was that it had an error
handler at the
end, and if I detected an error, anywhere in the program, I simply said 'goto
error'. This
was an assigned goto, so that I could set up error handlers for particular
circumstances
if I wished. This was no longer possible in more modern versions of Fortran,
and I had to
set up, and keep track of, a complicated system of error flags to achieve the
same result.
Reading this discussion, I was amused to realise that the modern system of
exceptions, and
exception handlers, was designed to achieve the same end.
The operating system was extremely unfriendly, as if it detected an error it
simply
terminated the job with an inscrutable message. As I only got three runs a week
anyway I
went to great lengths to avoid this. I even developed my own plotter driver, as
the system
one would terminate the plot if any command went outside the specified working
area. This
was usually the result of a typo, and would come good on the next instruction,
so when my
driver detected that the pen had reached the edge of the working area, it would
raise it,
and keep track of the position until the pen came back into the working area,
whereupon it
would lower it and continue plotting.
This was relatively simple, as the plotter only had three commands; pen up, pen
down, and
step one step in any of the eight directions of the compass. On the other hand
it meant I
had to develop my own font set and electronic symbols.
--- End Message ---
--- Begin Message ---
I've been using Gmail and thought you might like to try it out. Here's
an invitation to create an account.
if you send me mail on here it will probably be more secure than over
the rest of the network. just let me know what the new address will be
in case you change mail providers.
-----------------------------------------------------------------------
Tim-Hinnerk Heuer has invited you to open a free Google Mail account.
To accept this invitation and register for your account, visit
http://mail.google.com/mail/a-f5f2afb0c7-9207f3d89b-bd8bac4aaf494e87
Once you create your account, Tim-Hinnerk Heuer will be notified with
your new email address so you can stay in touch with Google Mail!
If you haven't already heard about Google Mail, it's a new
search-based webmail service that offers:
- Over 2,700 megabytes (two gigabytes) of free storage
- Built-in Google search that instantly finds any message you want
- Automatic arrangement of messages and related replies into "conversations"
- Powerful spam protection using innovative Google technology
- No large, annoying ads--just small text ads and related pages that
are relevant to the content of your messages
To learn more about Google Mail before registering, visit:
http://mail.google.com/mail/help/intl/en_GB/benefits.html
We're still working every day to improve Google Mail, so we might ask
for your comments and suggestions periodically. We hope you'll like
Google Mail. We do. And, it's only going to get better.
Thanks,
The Google Mail Team
(If clicking the URLs in this message does not work, copy and paste
them into the address bar of your browser).
--- End Message ---
--- Begin Message ---
I'm having a problem with db2 and prepared statements.
var_dump indicates that some variables that should be type int are type
text.
These variables are the output of bcmath equations, and are integer.
Does bcmath for some reason output a text type?
I can fix it by adding 0 but I want to know if I'm using bcmath incorrectly.
--- End Message ---
--- Begin Message ---
Michael A. Peters wrote:
I'm having a problem with db2 and prepared statements.
var_dump indicates that some variables that should be type int are type
text.
These variables are the output of bcmath equations, and are integer.
Does bcmath for some reason output a text type?
I can fix it by adding 0 but I want to know if I'm using bcmath
incorrectly.
LOL - I would like to know if bcmath is suppose to return int (I'm
guessing yes so it can deal with numbers outside of fp math) but I don't
think that was the issue.
$foo[] = Array($var1,$var2)
was my problem ... notice the [] ;)
--- End Message ---
--- Begin Message ---
On Thu, 2009-05-07 at 21:45 -0700, Michael A. Peters wrote:
> Michael A. Peters wrote:
> > I'm having a problem with db2 and prepared statements.
> > var_dump indicates that some variables that should be type int are type
> > text.
> >
> > These variables are the output of bcmath equations, and are integer.
> >
> > Does bcmath for some reason output a text type?
> >
> > I can fix it by adding 0 but I want to know if I'm using bcmath
> > incorrectly.
> >
>
> LOL - I would like to know if bcmath is suppose to return int (I'm
> guessing yes so it can deal with numbers outside of fp math) but I don't
> think that was the issue.
>
> $foo[] = Array($var1,$var2)
>
> was my problem ... notice the [] ;)
>From the documentation at:
http://ca2.php.net/manual/en/function.bcadd.php
We see that bcadd has the prototype:
string bcadd ( string $left_operand , string $right_operand [, int
$scale ] )
See the "string", that's because it takes strings and returns strings.
The reason why is in the description:
Add two arbitrary precision numbers
That arbitrary part rules out integers or even floats since they are
fixed width datatypes (fixed width with respect to the number of bits
available to represent them). It may not be the case with what your
doing, but with large enough (positive or negative numbers), or numbers
with sufficient decimal places) you WILL lose precision by converting to
a real integer or floating point value.
If you don't need "arbitrary" precision functionality, then don't use
the bcxxx() functions since they are MUCH slower than doing normal math.
Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP
--- End Message ---
