Now i realize... i sent only to the Shawn the modified functions... here
goes:
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW
TABLES','*','--','=');
foreach($Target as $key => $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
addslashes(str_ireplace(trim($sanitizeRules,"",$value))) :
str_ireplace(trim($sanitizeRules,"",$value));
endif;
endforeach;
return $arraSanitized;
}
Regards,
Igor Escobar
Systems Analyst & Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 2:55 PM, Igor Escobar <[email protected]> wrote:
> hun...by the way.... I forgot to mention, I am Brazilian and here in Brazil
> these words are not common ...
>
> That is a recursive function and i can use array_map becouse i some cases
> we obtain arrays of arrays and that will generate a error.
>
>
> Regards,
> Igor Escobar
> Systems Analyst & Interface Designer
>
> --
>
> Personal Blog
> ~ blog.igorescobar.com
> Online Portifolio
> ~ www.igorescobar.com
> Twitter
> ~ @igorescobar
>
>
>
>
>
> On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie <[email protected]>wrote:
>
>> Igor Escobar wrote:
>> > Hunnn...
>> >
>> > So, what do you think now?
>> >
>> > function _antiSqlInjection($Target){
>> > $sanitizeRules =
>> > array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
>> > TABLE','SHOW TABLES','*','--','=');
>> > foreach($Target as $key => $value):
>> > if(is_array($value)): $arraSanitized[$key] =
>> > _antiSqlInjection($value);
>> > else:
>> > $arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
>> > addslashes(str_ireplace(trim($sanitizeRules,"",$value))) :
>> > str_ireplace(trim($sanitizeRules,"",$value));
>> > endif;
>> > endforeach;
>> > return $arraSanitized;
>> > }
>> >
>> Stay on list please. I don't like the ternary or the brace omissions
>> (alternate syntax) :-) however....
>>
>> My point was that in my opinion you don't need the replace at all.
>> Also, do you really want to strip all 'or', * and = from all fields?
>> These may be perfectly valid in your app. Or is a very, very common
>> word, so is from and come to think of it, where, select, insert and
>> delete.
>>
>> For any of the SQL injections to work in your query, there will need to
>> be quotes or the backtick ` in the user supplied content. The quotes
>> are escaped by mysql_real_escape_string().
>>
>> I don't see any way for a SQL injection without the user input
>> containing quotes or the backtick to break out of your query or
>> prematurely terminate an expression. Some examples here, however they
>> don't mention the backtick:
>> http://us2.php.net/manual/en/security.database.sql-injection.php
>>
>> This might be more useful:
>>
>> ||||||function _antiSqlInjection($Target)
>> {
>> if(is_array($Target)) {
>> $Value = array_map('_antiSqlInjection', $Target);
>> } else {
>> if(get_magic_quotes_gpc()) {
>> $Target = stripslashes($Target);
>> }
>> // replace backtick with single quote or whatever
>> $Target = str_replace("`", "'", $Target);
>> $Value = mysql_real_escape_string($Target);
>> }
>> return $Value;
>> }
>>
>> Thanks!
>> -Shawn
>>
>>
>>
>
