What about declare, cast, unhex, exec etc.?
You Replace everything with isn't so good, I believe. Others
mentiond it before, that *, =, select, from ETC. are valid words and
characters in an other context.
Anayse some attacks before trying to defend them. Injections can be
heavily db-dependent,
Ok guys, thanks.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Thu, May 7, 2009 at 7:32 AM, Jan G.B. ro0ot.w...@googlemail.com wrote:
What about declare, cast, unhex,
On Thu, May 7, 2009 at 9:41 AM, Igor Escobar titiolin...@gmail.com wrote:
Ok guys, thanks.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Thu, May 7, 2009 at
Eric Butera wrote:
On Thu, May 7, 2009 at 9:41 AM, Igor Escobar titiolin...@gmail.com wrote:
Ok guys, thanks.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On
On Thu, May 7, 2009 at 4:28 PM, Shawn McKenzie nos...@mckenzies.net wrote:
RTFP! ;-)
He has no idea what DB will be used.
Wouldn't that be a better argument -for- using PDO? :)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Igor Escobar wrote:
Hi folks,
Someone know how i can improve this function to protect my envairounment
vars of sql injection attacks.
that is the function i use to do this, but, some people think is not enough:
* @uses $_REQUEST= _antiSqlInjection($_REQUEST);
* @uses $_POST =
Igor Escobar wrote:
Hunnn...
So, what do you think now?
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
TABLE','SHOW TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)):
hun...by the way I forgot to mention, I am Brazilian and here in Brazil
these words are not common ...
That is a recursive function and i can use array_map becouse i some cases we
obtain arrays of arrays and that will generate a error.
Regards,
Igor Escobar
Systems Analyst Interface
Now i realize... i sent only to the Shawn the modified functions... here
goes:
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW
TABLES','*','--','=');
foreach($Target as $key = $value):
2009/5/6 Igor Escobar titiolin...@gmail.com:
hun...by the way I forgot to mention, I am Brazilian and here in Brazil
these words are not common ...
Igor,
I'm brazilian too, but that is not the point. Deny the use of *any*
word as input in your app is unnecessary. The problem that you're
Yeah yeah, i understood that, but, the point is... i sad previously, my
function is not tied to any database.
Is a generic function, i dont know who be use this, so i don't know, what is
your data base so, i can't use functions like mysql_real_scape_string etc...
Regards,
Igor Escobar
Systems
Igor Escobar wrote:
hun...by the way I forgot to mention, I am Brazilian and here in Brazil
these words are not common ...
Yes, but you can reuse your function even if you start accepting english
posts/comments, etc. You don't want this function to be specific to
your app or data because
Igor Escobar wrote:
Yeah yeah, i understood that, but, the point is... i sad previously, my
function is not tied to any database.
Is a generic function, i dont know who be use this, so i don't know, what is
your data base so, i can't use functions like mysql_real_scape_string etc...
Then
Please reply all.
Do you test with associative arrays?
Yes.
Array
(
[test] = some stuff \here\
[test_array] = Array
(
[a] = a\a
[0] = b\'b
[c] = Array
(
[x] = x\x
[0] = y\'y
On Wed, May 6, 2009 at 2:25 PM, Shawn McKenzie nos...@mckenzies.net wrote:
Igor Escobar wrote:
Yeah yeah, i understood that, but, the point is... i sad previously, my
function is not tied to any database.
Is a generic function, i dont know who be use this, so i don't know, what is
your data
Andrew Ballard wrote:
On Wed, May 6, 2009 at 2:25 PM, Shawn McKenzie nos...@mckenzies.net wrote:
Igor Escobar wrote:
Yeah yeah, i understood that, but, the point is... i sad previously, my
function is not tied to any database.
Is a generic function, i dont know who be use this, so i don't
16 matches
Mail list logo