[PHP] preventing sql injections
Would this function do the trick? ?php // validate.php - functions that validates form input function validate_string($unsafe_string) { // create array containing bad words $badwords = array(;,--,select,drop,insert,xp_,delete); $goodwords = array(:,---,choose,leave,add, ,remove); // check for occurences of $badwords for($i=0; $i7; $i++) { $unsafe_string = str_replace($badwords[$i], $goodwords[$i],$unsafe_string); } $unsafe_string = AddSlashes($unsafe_string); $unsafe_string = trim($unsafe_string); $safe_string = $unsafe_string; Return $safe_string; } ? Br, Anders -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] preventing sql injections
Why would you do all this? Just use addslashes() and let them send all the crap they want. All it will do is cause your query to return zero results, which you should be handling all ready. If you're ever including a variable in an SQL query that's not enclosed in quotes, then make darn sure you've validated it's an integer before you put it in there. (int)$value is the easiest way, so long as a value of zero doesn't return anything from the database (because a string will evaluate to (int)zero). ---John Holmes... - Original Message - From: Anders Thoresson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 18, 2002 8:58 AM Subject: [PHP] preventing sql injections Would this function do the trick? ?php // validate.php - functions that validates form input function validate_string($unsafe_string) { // create array containing bad words $badwords = array(;,--,select,drop,insert,xp_,delete); $goodwords = array(:,---,choose,leave,add, ,remove); // check for occurences of $badwords for($i=0; $i7; $i++) { $unsafe_string = str_replace($badwords[$i], $goodwords[$i],$unsafe_string); } $unsafe_string = AddSlashes($unsafe_string); $unsafe_string = trim($unsafe_string); $safe_string = $unsafe_string; Return $safe_string; } ? Br, Anders -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] preventing sql injections
addslashes should be enough and put qoutes arround your strings in the sql At 14:58 18-12-02 +0100, Anders Thoresson wrote: Would this function do the trick? ?php // validate.php - functions that validates form input function validate_string($unsafe_string) { // create array containing bad words $badwords = array(;,--,select,drop,insert,xp_,delete); $goodwords = array(:,---,choose,leave,add, ,remove); // check for occurences of $badwords for($i=0; $i7; $i++) { $unsafe_string = str_replace($badwords[$i], $goodwords[$i],$unsafe_string); } $unsafe_string = AddSlashes($unsafe_string); $unsafe_string = trim($unsafe_string); $safe_string = $unsafe_string; Return $safe_string; } ? Br, Anders -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] preventing sql injections
addslashes should be enough and put qoutes arround your strings in the sql Meaning that a query like this one is safe, as long as I first have $e_namn = addslashes($e_namn);? $query = INSERT INTO addr (last_name, first_name, email) VALUES(\$e_namn\,\$f_namn\,\$email\); -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] preventing sql injections
addslashes should be enough and put qoutes arround your strings in the sql Meaning that a query like this one is safe, as long as I first have $e_namn = addslashes($e_namn);? $query = INSERT INTO addr (last_name, first_name, email) VALUES(\$e_namn\,\$f_namn\,\$email\); Yeah, as long as you do the same for $f_namn and $email. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] preventing sql injections
Also, please note that if you're using MySQL you don't have to bother at all security-wise - MySQL won't accept more than one query per mysql_query(). You do have to bother about regular errors though - if $f_namn or $email contain quotes (which $email might well contain) then you're going to end up with a database ERROR - but no harm done. Bogdan 1lt John W. Holmes wrote: addslashes should be enough and put qoutes arround your strings in the sql Meaning that a query like this one is safe, as long as I first have $e_namn = addslashes($e_namn);? $query = INSERT INTO addr (last_name, first_name, email) VALUES(\$e_namn\,\$f_namn\,\$email\); Yeah, as long as you do the same for $f_namn and $email. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] preventing sql injections
Also, please note that if you're using MySQL you don't have to bother at all security-wise - MySQL won't accept more than one query per mysql_query(). You do have to bother about regular errors though - if $f_namn or $email contain quotes (which $email might well contain) then you're going to end up with a database ERROR - but no harm done. Why would you say that? While technically true that only one query can be executed per mysql_query(), you still have to worry about SQL Injection. Yes, they can't inject their own SQL queries, but they could affect the ones you issue. They could add a OR 1 onto a select, causing it to return all rows from a table and possibly let them view data they shouldn't. Or, they can do the same thing on an UPDATE and provide their own values. It's still something to be aware of and program against. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] preventing sql injections
Thy words are wise, milord. Bogdan John W. Holmes wrote: Also, please note that if you're using MySQL you don't have to bother at all security-wise - MySQL won't accept more than one query per mysql_query(). You do have to bother about regular errors though - if $f_namn or $email contain quotes (which $email might well contain) then you're going to end up with a database ERROR - but no harm done. Why would you say that? While technically true that only one query can be executed per mysql_query(), you still have to worry about SQL Injection. Yes, they can't inject their own SQL queries, but they could affect the ones you issue. They could add a OR 1 onto a select, causing it to return all rows from a table and possibly let them view data they shouldn't. Or, they can do the same thing on an UPDATE and provide their own values. It's still something to be aware of and program against. ---John W. Holmes... PHP Architect - A monthly magazine for PHP Professionals. Get your copy today. http://www.phparch.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php