Re: [PHP] Re: SQL Injection - Solution
What about declare, cast, unhex, exec etc.? You Replace everything with isn't so good, I believe. Others mentiond it before, that *, =, select, from ETC. are valid words and characters in an other context. Anayse some attacks before trying to defend them. Injections can be heavily db-dependent, so filtering the common words might not be so insightful. If you really want to go the filter approach, then check out this project and learn from them. ;) http://php-ids.org/ byebye 2009/5/6 Igor Escobar titiolin...@gmail.com: Yeah yeah, i understood that, but, the point is... i sad previously, my function is not tied to any database. Is a generic function, i dont know who be use this, so i don't know, what is your data base so, i can't use functions like mysql_real_scape_string etc... Regards, Igor Escobar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Wed, May 6, 2009 at 3:00 PM, Bruno Fajardo bsfaja...@gmail.com wrote: 2009/5/6 Igor Escobar titiolin...@gmail.com: hun...by the way I forgot to mention, I am Brazilian and here in Brazil these words are not common ... Igor, I'm brazilian too, but that is not the point. Deny the use of *any* word as input in your app is unnecessary. The problem that you're trying to solve, has been solved a long time ago. Bruno. That is a recursive function and i can use array_map becouse i some cases we obtain arrays of arrays and that will generate a error. Regards, Igor Escobar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie nos...@mckenzies.net wrote: Igor Escobar wrote: Hunnn... So, what do you think now? function _antiSqlInjection($Target){ $sanitizeRules = array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW TABLES','*','--','='); foreach($Target as $key = $value): if(is_array($value)): $arraSanitized[$key] = _antiSqlInjection($value); else: $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? addslashes(str_ireplace(trim($sanitizeRules,,$value))) : str_ireplace(trim($sanitizeRules,,$value)); endif; endforeach; return $arraSanitized; } Stay on list please. I don't like the ternary or the brace omissions (alternate syntax) :-) however My point was that in my opinion you don't need the replace at all. Also, do you really want to strip all 'or', * and = from all fields? These may be perfectly valid in your app. Or is a very, very common word, so is from and come to think of it, where, select, insert and delete. For any of the SQL injections to work in your query, there will need to be quotes or the backtick ` in the user supplied content. The quotes are escaped by mysql_real_escape_string(). I don't see any way for a SQL injection without the user input containing quotes or the backtick to break out of your query or prematurely terminate an expression. Some examples here, however they don't mention the backtick: http://us2.php.net/manual/en/security.database.sql-injection.php This might be more useful: ||function _antiSqlInjection($Target) { if(is_array($Target)) { $Value = array_map('_antiSqlInjection', $Target); } else { if(get_magic_quotes_gpc()) { $Target = stripslashes($Target); } // replace backtick with single quote or whatever $Target = str_replace(`, ', $Target); $Value = mysql_real_escape_string($Target); } return $Value; } Thanks! -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Ok guys, thanks. Regards, Igor Escobar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Thu, May 7, 2009 at 7:32 AM, Jan G.B. ro0ot.w...@googlemail.com wrote: What about declare, cast, unhex, exec etc.? You Replace everything with isn't so good, I believe. Others mentiond it before, that *, =, select, from ETC. are valid words and characters in an other context. Anayse some attacks before trying to defend them. Injections can be heavily db-dependent, so filtering the common words might not be so insightful. If you really want to go the filter approach, then check out this project and learn from them. ;) http://php-ids.org/ byebye 2009/5/6 Igor Escobar titiolin...@gmail.com: Yeah yeah, i understood that, but, the point is... i sad previously, my function is not tied to any database. Is a generic function, i dont know who be use this, so i don't know, what is your data base so, i can't use functions like mysql_real_scape_string etc... Regards, Igor Escobar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Wed, May 6, 2009 at 3:00 PM, Bruno Fajardo bsfaja...@gmail.com wrote: 2009/5/6 Igor Escobar titiolin...@gmail.com: hun...by the way I forgot to mention, I am Brazilian and here in Brazil these words are not common ... Igor, I'm brazilian too, but that is not the point. Deny the use of *any* word as input in your app is unnecessary. The problem that you're trying to solve, has been solved a long time ago. Bruno. That is a recursive function and i can use array_map becouse i some cases we obtain arrays of arrays and that will generate a error. Regards, Igor Escobar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie nos...@mckenzies.net wrote: Igor Escobar wrote: Hunnn... So, what do you think now? function _antiSqlInjection($Target){ $sanitizeRules = array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW TABLES','*','--','='); foreach($Target as $key = $value): if(is_array($value)): $arraSanitized[$key] = _antiSqlInjection($value); else: $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? addslashes(str_ireplace(trim($sanitizeRules,,$value))) : str_ireplace(trim($sanitizeRules,,$value)); endif; endforeach; return $arraSanitized; } Stay on list please. I don't like the ternary or the brace omissions (alternate syntax) :-) however My point was that in my opinion you don't need the replace at all. Also, do you really want to strip all 'or', * and = from all fields? These may be perfectly valid in your app. Or is a very, very common word, so is from and come to think of it, where, select, insert and delete. For any of the SQL injections to work in your query, there will need to be quotes or the backtick ` in the user supplied content. The quotes are escaped by mysql_real_escape_string(). I don't see any way for a SQL injection without the user input containing quotes or the backtick to break out of your query or prematurely terminate an expression. Some examples here, however they don't mention the backtick: http://us2.php.net/manual/en/security.database.sql-injection.php This might be more useful: ||function _antiSqlInjection($Target) { if(is_array($Target)) { $Value = array_map('_antiSqlInjection', $Target); } else { if(get_magic_quotes_gpc()) { $Target = stripslashes($Target); } // replace backtick with single quote or whatever $Target = str_replace(`, ', $Target); $Value = mysql_real_escape_string($Target); } return $Value; } Thanks! -Shawn
Re: [PHP] Re: SQL Injection - Solution
On Thu, May 7, 2009 at 9:41 AM, Igor Escobar titiolin...@gmail.com wrote: Ok guys, thanks. Regards, Igor Escobar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Thu, May 7, 2009 at 7:32 AM, Jan G.B. ro0ot.w...@googlemail.com wrote: What about declare, cast, unhex, exec etc.? You Replace everything with isn't so good, I believe. Others mentiond it before, that *, =, select, from ETC. are valid words and characters in an other context. Anayse some attacks before trying to defend them. Injections can be heavily db-dependent, so filtering the common words might not be so insightful. If you really want to go the filter approach, then check out this project and learn from them. ;) http://php-ids.org/ byebye 2009/5/6 Igor Escobar titiolin...@gmail.com: Yeah yeah, i understood that, but, the point is... i sad previously, my function is not tied to any database. Is a generic function, i dont know who be use this, so i don't know, what is your data base so, i can't use functions like mysql_real_scape_string etc... Regards, Igor Escobar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Wed, May 6, 2009 at 3:00 PM, Bruno Fajardo bsfaja...@gmail.com wrote: 2009/5/6 Igor Escobar titiolin...@gmail.com: hun...by the way I forgot to mention, I am Brazilian and here in Brazil these words are not common ... Igor, I'm brazilian too, but that is not the point. Deny the use of *any* word as input in your app is unnecessary. The problem that you're trying to solve, has been solved a long time ago. Bruno. That is a recursive function and i can use array_map becouse i some cases we obtain arrays of arrays and that will generate a error. Regards, Igor Escobar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie nos...@mckenzies.net wrote: Igor Escobar wrote: Hunnn... So, what do you think now? function _antiSqlInjection($Target){ $sanitizeRules = array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW TABLES','*','--','='); foreach($Target as $key = $value): if(is_array($value)): $arraSanitized[$key] = _antiSqlInjection($value); else: $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? addslashes(str_ireplace(trim($sanitizeRules,,$value))) : str_ireplace(trim($sanitizeRules,,$value)); endif; endforeach; return $arraSanitized; } Stay on list please. I don't like the ternary or the brace omissions (alternate syntax) :-) however My point was that in my opinion you don't need the replace at all. Also, do you really want to strip all 'or', * and = from all fields? These may be perfectly valid in your app. Or is a very, very common word, so is from and come to think of it, where, select, insert and delete. For any of the SQL injections to work in your query, there will need to be quotes or the backtick ` in the user supplied content. The quotes are escaped by mysql_real_escape_string(). I don't see any way for a SQL injection without the user input containing quotes or the backtick to break out of your query or prematurely terminate an expression. Some examples here, however they don't mention the backtick: http://us2.php.net/manual/en/security.database.sql-injection.php This might be more useful: ||function _antiSqlInjection($Target) { if(is_array($Target)) { $Value = array_map('_antiSqlInjection', $Target); } else { if(get_magic_quotes_gpc()) { $Target = stripslashes($Target); } // replace backtick with single quote or whatever $Target = str_replace(`, ', $Target); $Value = mysql_real_escape_string($Target); } return $Value; } Thanks! -Shawn Use prepared statements. All your problems go away. Look at mysqli/PDO. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Eric Butera wrote: On Thu, May 7, 2009 at 9:41 AM, Igor Escobar titiolin...@gmail.com wrote: Ok guys, thanks. Regards, Igor Escobar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Thu, May 7, 2009 at 7:32 AM, Jan G.B. ro0ot.w...@googlemail.com wrote: What about declare, cast, unhex, exec etc.? You Replace everything with isn't so good, I believe. Others mentiond it before, that *, =, select, from ETC. are valid words and characters in an other context. Anayse some attacks before trying to defend them. Injections can be heavily db-dependent, so filtering the common words might not be so insightful. If you really want to go the filter approach, then check out this project and learn from them. ;) http://php-ids.org/ byebye 2009/5/6 Igor Escobar titiolin...@gmail.com: Yeah yeah, i understood that, but, the point is... i sad previously, my function is not tied to any database. Is a generic function, i dont know who be use this, so i don't know, what is your data base so, i can't use functions like mysql_real_scape_string etc... Regards, Igor Escobar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Wed, May 6, 2009 at 3:00 PM, Bruno Fajardo bsfaja...@gmail.com wrote: 2009/5/6 Igor Escobar titiolin...@gmail.com: hun...by the way I forgot to mention, I am Brazilian and here in Brazil these words are not common ... Igor, I'm brazilian too, but that is not the point. Deny the use of *any* word as input in your app is unnecessary. The problem that you're trying to solve, has been solved a long time ago. Bruno. That is a recursive function and i can use array_map becouse i some cases we obtain arrays of arrays and that will generate a error. Regards, Igor Escobar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie nos...@mckenzies.net wrote: Igor Escobar wrote: Hunnn... So, what do you think now? function _antiSqlInjection($Target){ $sanitizeRules = array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW TABLES','*','--','='); foreach($Target as $key = $value): if(is_array($value)): $arraSanitized[$key] = _antiSqlInjection($value); else: $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? addslashes(str_ireplace(trim($sanitizeRules,,$value))) : str_ireplace(trim($sanitizeRules,,$value)); endif; endforeach; return $arraSanitized; } Stay on list please. I don't like the ternary or the brace omissions (alternate syntax) :-) however My point was that in my opinion you don't need the replace at all. Also, do you really want to strip all 'or', * and = from all fields? These may be perfectly valid in your app. Or is a very, very common word, so is from and come to think of it, where, select, insert and delete. For any of the SQL injections to work in your query, there will need to be quotes or the backtick ` in the user supplied content. The quotes are escaped by mysql_real_escape_string(). I don't see any way for a SQL injection without the user input containing quotes or the backtick to break out of your query or prematurely terminate an expression. Some examples here, however they don't mention the backtick: http://us2.php.net/manual/en/security.database.sql-injection.php This might be more useful: ||function _antiSqlInjection($Target) { if(is_array($Target)) { $Value = array_map('_antiSqlInjection', $Target); } else { if(get_magic_quotes_gpc()) { $Target = stripslashes($Target); } // replace backtick with single quote or whatever $Target = str_replace(`, ', $Target); $Value = mysql_real_escape_string($Target); } return $Value; } Thanks! -Shawn Use prepared statements. All your problems go away. Look at mysqli/PDO. RTFP! ;-) He has no idea what DB will be used. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
On Thu, May 7, 2009 at 4:28 PM, Shawn McKenzie nos...@mckenzies.net wrote: RTFP! ;-) He has no idea what DB will be used. Wouldn't that be a better argument -for- using PDO? :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: SQL Injection - Solution
Igor Escobar wrote: Hi folks, Someone know how i can improve this function to protect my envairounment vars of sql injection attacks. that is the function i use to do this, but, some people think is not enough: * @uses $_REQUEST= _antiSqlInjection($_REQUEST); * @uses $_POST = _antiSqlInjection($_POST); * @uses $_GET = _antiSqlInjection($_GET); * * @author Igor Escobar * @email blog [at] igorescobar [dot] com * */ function _antiSqlInjection($Target){ $sanitizeRules = array('OR','FROM,'SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW TABLES','*','--','='); foreach($Target as $key = $value): if(is_array($value)): $arraSanitized[$key] = _antiSqlInjection($value); else: $arraSanitized[$key] = addslashes(strip_tags(trim(str_replace($sanitizeRules,,$value; endif; endforeach; return $arraSanitized; } You can help me to improve them? Just at first glance, if you're going to use this type of function you should at least use str_ireplace(). 'drop table' works just as well as 'DROP TABLE'. Also, you might want to use mysql_real_escape_string() or similar for your DB (if you have a connection). Or you can skip the slash stuff until the actual query. This may negate the need for your replace, as quotes are normally needed to get the SQL commands to work in your query anyway. Finally, if magic_quotes are on you'll end up with multiple slashes in your code as it is and if you changed the addslashes() to mysql_real_escape_string(). Normally this is good: if(get_magic_quotes_gpc()) { $value = stripslashes($value); } $arraSanitized[$key] = mysql_real_escape_string($value); I also think strip_tags() or htmlentities() belongs more in a display filter. Regards, Igor Escobar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Igor Escobar wrote: Hunnn... So, what do you think now? function _antiSqlInjection($Target){ $sanitizeRules = array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW TABLES','*','--','='); foreach($Target as $key = $value): if(is_array($value)): $arraSanitized[$key] = _antiSqlInjection($value); else: $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? addslashes(str_ireplace(trim($sanitizeRules,,$value))) : str_ireplace(trim($sanitizeRules,,$value)); endif; endforeach; return $arraSanitized; } Stay on list please. I don't like the ternary or the brace omissions (alternate syntax) :-) however My point was that in my opinion you don't need the replace at all. Also, do you really want to strip all 'or', * and = from all fields? These may be perfectly valid in your app. Or is a very, very common word, so is from and come to think of it, where, select, insert and delete. For any of the SQL injections to work in your query, there will need to be quotes or the backtick ` in the user supplied content. The quotes are escaped by mysql_real_escape_string(). I don't see any way for a SQL injection without the user input containing quotes or the backtick to break out of your query or prematurely terminate an expression. Some examples here, however they don't mention the backtick: http://us2.php.net/manual/en/security.database.sql-injection.php This might be more useful: ||function _antiSqlInjection($Target) { if(is_array($Target)) { $Value = array_map('_antiSqlInjection', $Target); } else { if(get_magic_quotes_gpc()) { $Target = stripslashes($Target); } // replace backtick with single quote or whatever $Target = str_replace(`, ', $Target); $Value = mysql_real_escape_string($Target); } return $Value; } Thanks! -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
hun...by the way I forgot to mention, I am Brazilian and here in Brazil these words are not common ... That is a recursive function and i can use array_map becouse i some cases we obtain arrays of arrays and that will generate a error. Regards, Igor Escobar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie nos...@mckenzies.net wrote: Igor Escobar wrote: Hunnn... So, what do you think now? function _antiSqlInjection($Target){ $sanitizeRules = array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW TABLES','*','--','='); foreach($Target as $key = $value): if(is_array($value)): $arraSanitized[$key] = _antiSqlInjection($value); else: $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? addslashes(str_ireplace(trim($sanitizeRules,,$value))) : str_ireplace(trim($sanitizeRules,,$value)); endif; endforeach; return $arraSanitized; } Stay on list please. I don't like the ternary or the brace omissions (alternate syntax) :-) however My point was that in my opinion you don't need the replace at all. Also, do you really want to strip all 'or', * and = from all fields? These may be perfectly valid in your app. Or is a very, very common word, so is from and come to think of it, where, select, insert and delete. For any of the SQL injections to work in your query, there will need to be quotes or the backtick ` in the user supplied content. The quotes are escaped by mysql_real_escape_string(). I don't see any way for a SQL injection without the user input containing quotes or the backtick to break out of your query or prematurely terminate an expression. Some examples here, however they don't mention the backtick: http://us2.php.net/manual/en/security.database.sql-injection.php This might be more useful: ||function _antiSqlInjection($Target) { if(is_array($Target)) { $Value = array_map('_antiSqlInjection', $Target); } else { if(get_magic_quotes_gpc()) { $Target = stripslashes($Target); } // replace backtick with single quote or whatever $Target = str_replace(`, ', $Target); $Value = mysql_real_escape_string($Target); } return $Value; } Thanks! -Shawn
Re: [PHP] Re: SQL Injection - Solution
Now i realize... i sent only to the Shawn the modified functions... here goes: function _antiSqlInjection($Target){ $sanitizeRules = array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW TABLES','*','--','='); foreach($Target as $key = $value): if(is_array($value)): $arraSanitized[$key] = _antiSqlInjection($value); else: $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? addslashes(str_ireplace(trim($sanitizeRules,,$value))) : str_ireplace(trim($sanitizeRules,,$value)); endif; endforeach; return $arraSanitized; } Regards, Igor Escobar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Wed, May 6, 2009 at 2:55 PM, Igor Escobar titiolin...@gmail.com wrote: hun...by the way I forgot to mention, I am Brazilian and here in Brazil these words are not common ... That is a recursive function and i can use array_map becouse i some cases we obtain arrays of arrays and that will generate a error. Regards, Igor Escobar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie nos...@mckenzies.netwrote: Igor Escobar wrote: Hunnn... So, what do you think now? function _antiSqlInjection($Target){ $sanitizeRules = array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW TABLES','*','--','='); foreach($Target as $key = $value): if(is_array($value)): $arraSanitized[$key] = _antiSqlInjection($value); else: $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? addslashes(str_ireplace(trim($sanitizeRules,,$value))) : str_ireplace(trim($sanitizeRules,,$value)); endif; endforeach; return $arraSanitized; } Stay on list please. I don't like the ternary or the brace omissions (alternate syntax) :-) however My point was that in my opinion you don't need the replace at all. Also, do you really want to strip all 'or', * and = from all fields? These may be perfectly valid in your app. Or is a very, very common word, so is from and come to think of it, where, select, insert and delete. For any of the SQL injections to work in your query, there will need to be quotes or the backtick ` in the user supplied content. The quotes are escaped by mysql_real_escape_string(). I don't see any way for a SQL injection without the user input containing quotes or the backtick to break out of your query or prematurely terminate an expression. Some examples here, however they don't mention the backtick: http://us2.php.net/manual/en/security.database.sql-injection.php This might be more useful: ||function _antiSqlInjection($Target) { if(is_array($Target)) { $Value = array_map('_antiSqlInjection', $Target); } else { if(get_magic_quotes_gpc()) { $Target = stripslashes($Target); } // replace backtick with single quote or whatever $Target = str_replace(`, ', $Target); $Value = mysql_real_escape_string($Target); } return $Value; } Thanks! -Shawn
Re: [PHP] Re: SQL Injection - Solution
2009/5/6 Igor Escobar titiolin...@gmail.com: hun...by the way I forgot to mention, I am Brazilian and here in Brazil these words are not common ... Igor, I'm brazilian too, but that is not the point. Deny the use of *any* word as input in your app is unnecessary. The problem that you're trying to solve, has been solved a long time ago. Bruno. That is a recursive function and i can use array_map becouse i some cases we obtain arrays of arrays and that will generate a error. Regards, Igor Escobar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie nos...@mckenzies.net wrote: Igor Escobar wrote: Hunnn... So, what do you think now? function _antiSqlInjection($Target){ $sanitizeRules = array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW TABLES','*','--','='); foreach($Target as $key = $value): if(is_array($value)): $arraSanitized[$key] = _antiSqlInjection($value); else: $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? addslashes(str_ireplace(trim($sanitizeRules,,$value))) : str_ireplace(trim($sanitizeRules,,$value)); endif; endforeach; return $arraSanitized; } Stay on list please. I don't like the ternary or the brace omissions (alternate syntax) :-) however My point was that in my opinion you don't need the replace at all. Also, do you really want to strip all 'or', * and = from all fields? These may be perfectly valid in your app. Or is a very, very common word, so is from and come to think of it, where, select, insert and delete. For any of the SQL injections to work in your query, there will need to be quotes or the backtick ` in the user supplied content. The quotes are escaped by mysql_real_escape_string(). I don't see any way for a SQL injection without the user input containing quotes or the backtick to break out of your query or prematurely terminate an expression. Some examples here, however they don't mention the backtick: http://us2.php.net/manual/en/security.database.sql-injection.php This might be more useful: ||function _antiSqlInjection($Target) { if(is_array($Target)) { $Value = array_map('_antiSqlInjection', $Target); } else { if(get_magic_quotes_gpc()) { $Target = stripslashes($Target); } // replace backtick with single quote or whatever $Target = str_replace(`, ', $Target); $Value = mysql_real_escape_string($Target); } return $Value; } Thanks! -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Yeah yeah, i understood that, but, the point is... i sad previously, my function is not tied to any database. Is a generic function, i dont know who be use this, so i don't know, what is your data base so, i can't use functions like mysql_real_scape_string etc... Regards, Igor Escobar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Wed, May 6, 2009 at 3:00 PM, Bruno Fajardo bsfaja...@gmail.com wrote: 2009/5/6 Igor Escobar titiolin...@gmail.com: hun...by the way I forgot to mention, I am Brazilian and here in Brazil these words are not common ... Igor, I'm brazilian too, but that is not the point. Deny the use of *any* word as input in your app is unnecessary. The problem that you're trying to solve, has been solved a long time ago. Bruno. That is a recursive function and i can use array_map becouse i some cases we obtain arrays of arrays and that will generate a error. Regards, Igor Escobar Systems Analyst Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie nos...@mckenzies.net wrote: Igor Escobar wrote: Hunnn... So, what do you think now? function _antiSqlInjection($Target){ $sanitizeRules = array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW TABLES','*','--','='); foreach($Target as $key = $value): if(is_array($value)): $arraSanitized[$key] = _antiSqlInjection($value); else: $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? addslashes(str_ireplace(trim($sanitizeRules,,$value))) : str_ireplace(trim($sanitizeRules,,$value)); endif; endforeach; return $arraSanitized; } Stay on list please. I don't like the ternary or the brace omissions (alternate syntax) :-) however My point was that in my opinion you don't need the replace at all. Also, do you really want to strip all 'or', * and = from all fields? These may be perfectly valid in your app. Or is a very, very common word, so is from and come to think of it, where, select, insert and delete. For any of the SQL injections to work in your query, there will need to be quotes or the backtick ` in the user supplied content. The quotes are escaped by mysql_real_escape_string(). I don't see any way for a SQL injection without the user input containing quotes or the backtick to break out of your query or prematurely terminate an expression. Some examples here, however they don't mention the backtick: http://us2.php.net/manual/en/security.database.sql-injection.php This might be more useful: ||function _antiSqlInjection($Target) { if(is_array($Target)) { $Value = array_map('_antiSqlInjection', $Target); } else { if(get_magic_quotes_gpc()) { $Target = stripslashes($Target); } // replace backtick with single quote or whatever $Target = str_replace(`, ', $Target); $Value = mysql_real_escape_string($Target); } return $Value; } Thanks! -Shawn
Re: [PHP] Re: SQL Injection - Solution
Igor Escobar wrote: hun...by the way I forgot to mention, I am Brazilian and here in Brazil these words are not common ... Yes, but you can reuse your function even if you start accepting english posts/comments, etc. You don't want this function to be specific to your app or data because it isn't extensible or portable. Also, I suspect that there are some words in portuguese that contain or, which would be removed. That is a recursive function and i can use array_map becouse i some cases we obtain arrays of arrays and that will generate a error. Yes, it is recursive, so that it works on arrays of arrays :-) No error that I have seen. $_GET = array( 'test' = 'some stuff here', 'test_array' = array('aa','b`b',array('xx','y`y','z')) ); print_r(_antiSqlInjection($_GET)); Array ( [test] = some stuff \here\ [test_array] = Array ( [0] = a\a [1] = b\'b [2] = Array ( [0] = x\x [1] = y\'y [2] = z ) ) ) -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Igor Escobar wrote: Yeah yeah, i understood that, but, the point is... i sad previously, my function is not tied to any database. Is a generic function, i dont know who be use this, so i don't know, what is your data base so, i can't use functions like mysql_real_scape_string etc... Then the best you can do is replace mysql_real_scape_string() with addslashes() or possibly addcslashes() and build your own list. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Please reply all. Do you test with associative arrays? Yes. Array ( [test] = some stuff \here\ [test_array] = Array ( [a] = a\a [0] = b\'b [c] = Array ( [x] = x\x [0] = y\'y [1] = z ) ) ) Thanks! -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
On Wed, May 6, 2009 at 2:25 PM, Shawn McKenzie nos...@mckenzies.net wrote: Igor Escobar wrote: Yeah yeah, i understood that, but, the point is... i sad previously, my function is not tied to any database. Is a generic function, i dont know who be use this, so i don't know, what is your data base so, i can't use functions like mysql_real_scape_string etc... Then the best you can do is replace mysql_real_scape_string() with addslashes() or possibly addcslashes() and build your own list. You can't just use addslashes() or addcslashes(). You have to know what database you are using because the escape sequences are different. In MySQL, single quote characters are escaped by a backslash. In SQL Server, they are escaped by doubling them. There are a lot of libraries available that already do this. If someone wants to write yet another one, it would probably be worthwhile to dissect some of those existing libraries to see how they handle work under the hood. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Andrew Ballard wrote: On Wed, May 6, 2009 at 2:25 PM, Shawn McKenzie nos...@mckenzies.net wrote: Igor Escobar wrote: Yeah yeah, i understood that, but, the point is... i sad previously, my function is not tied to any database. Is a generic function, i dont know who be use this, so i don't know, what is your data base so, i can't use functions like mysql_real_scape_string etc... Then the best you can do is replace mysql_real_scape_string() with addslashes() or possibly addcslashes() and build your own list. You can't just use addslashes() or addcslashes(). You have to know what database you are using because the escape sequences are different. In MySQL, single quote characters are escaped by a backslash. In SQL Server, they are escaped by doubling them. There are a lot of libraries available that already do this. If someone wants to write yet another one, it would probably be worthwhile to dissect some of those existing libraries to see how they handle work under the hood. Andrew Good points. I haven't had much experience with any DB other than mysql or sqlite. Without knowing the DB, you'll either need to use one of these libraries or convert the chars to something else like html entities. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php