Re: [PHP] Re: SQL Injection - Solution
What about declare, cast, unhex, exec etc.?
You Replace everything with isn't so good, I believe. Others
mentiond it before, that *, =, select, from ETC. are valid words and
characters in an other context.
Anayse some attacks before trying to defend them. Injections can be
heavily db-dependent, so filtering the common words might not be so
insightful.
If you really want to go the filter approach, then check out this
project and learn from them. ;)
http://php-ids.org/
byebye
2009/5/6 Igor Escobar titiolin...@gmail.com:
Yeah yeah, i understood that, but, the point is... i sad previously, my
function is not tied to any database.
Is a generic function, i dont know who be use this, so i don't know, what is
your data base so, i can't use functions like mysql_real_scape_string etc...
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 3:00 PM, Bruno Fajardo bsfaja...@gmail.com wrote:
2009/5/6 Igor Escobar titiolin...@gmail.com:
hun...by the way I forgot to mention, I am Brazilian and here in
Brazil
these words are not common ...
Igor,
I'm brazilian too, but that is not the point. Deny the use of *any*
word as input in your app is unnecessary. The problem that you're
trying to solve, has been solved a long time ago.
Bruno.
That is a recursive function and i can use array_map becouse i some cases
we
obtain arrays of arrays and that will generate a error.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie nos...@mckenzies.net
wrote:
Igor Escobar wrote:
Hunnn...
So, what do you think now?
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
TABLE','SHOW TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
addslashes(str_ireplace(trim($sanitizeRules,,$value))) :
str_ireplace(trim($sanitizeRules,,$value));
endif;
endforeach;
return $arraSanitized;
}
Stay on list please. I don't like the ternary or the brace omissions
(alternate syntax) :-) however
My point was that in my opinion you don't need the replace at all.
Also, do you really want to strip all 'or', * and = from all fields?
These may be perfectly valid in your app. Or is a very, very common
word, so is from and come to think of it, where, select, insert and
delete.
For any of the SQL injections to work in your query, there will need to
be quotes or the backtick ` in the user supplied content. The quotes
are escaped by mysql_real_escape_string().
I don't see any way for a SQL injection without the user input
containing quotes or the backtick to break out of your query or
prematurely terminate an expression. Some examples here, however they
don't mention the backtick:
http://us2.php.net/manual/en/security.database.sql-injection.php
This might be more useful:
||function _antiSqlInjection($Target)
{
if(is_array($Target)) {
$Value = array_map('_antiSqlInjection', $Target);
} else {
if(get_magic_quotes_gpc()) {
$Target = stripslashes($Target);
}
// replace backtick with single quote or whatever
$Target = str_replace(`, ', $Target);
$Value = mysql_real_escape_string($Target);
}
return $Value;
}
Thanks!
-Shawn
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Ok guys, thanks.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Thu, May 7, 2009 at 7:32 AM, Jan G.B. ro0ot.w...@googlemail.com wrote:
What about declare, cast, unhex, exec etc.?
You Replace everything with isn't so good, I believe. Others
mentiond it before, that *, =, select, from ETC. are valid words and
characters in an other context.
Anayse some attacks before trying to defend them. Injections can be
heavily db-dependent, so filtering the common words might not be so
insightful.
If you really want to go the filter approach, then check out this
project and learn from them. ;)
http://php-ids.org/
byebye
2009/5/6 Igor Escobar titiolin...@gmail.com:
Yeah yeah, i understood that, but, the point is... i sad previously, my
function is not tied to any database.
Is a generic function, i dont know who be use this, so i don't know, what
is
your data base so, i can't use functions like mysql_real_scape_string
etc...
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 3:00 PM, Bruno Fajardo bsfaja...@gmail.com
wrote:
2009/5/6 Igor Escobar titiolin...@gmail.com:
hun...by the way I forgot to mention, I am Brazilian and here in
Brazil
these words are not common ...
Igor,
I'm brazilian too, but that is not the point. Deny the use of *any*
word as input in your app is unnecessary. The problem that you're
trying to solve, has been solved a long time ago.
Bruno.
That is a recursive function and i can use array_map becouse i some
cases
we
obtain arrays of arrays and that will generate a error.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie nos...@mckenzies.net
wrote:
Igor Escobar wrote:
Hunnn...
So, what do you think now?
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
TABLE','SHOW TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
addslashes(str_ireplace(trim($sanitizeRules,,$value))) :
str_ireplace(trim($sanitizeRules,,$value));
endif;
endforeach;
return $arraSanitized;
}
Stay on list please. I don't like the ternary or the brace omissions
(alternate syntax) :-) however
My point was that in my opinion you don't need the replace at all.
Also, do you really want to strip all 'or', * and = from all fields?
These may be perfectly valid in your app. Or is a very, very common
word, so is from and come to think of it, where, select, insert and
delete.
For any of the SQL injections to work in your query, there will need
to
be quotes or the backtick ` in the user supplied content. The quotes
are escaped by mysql_real_escape_string().
I don't see any way for a SQL injection without the user input
containing quotes or the backtick to break out of your query or
prematurely terminate an expression. Some examples here, however
they
don't mention the backtick:
http://us2.php.net/manual/en/security.database.sql-injection.php
This might be more useful:
||function _antiSqlInjection($Target)
{
if(is_array($Target)) {
$Value = array_map('_antiSqlInjection', $Target);
} else {
if(get_magic_quotes_gpc()) {
$Target = stripslashes($Target);
}
// replace backtick with single quote or whatever
$Target = str_replace(`, ', $Target);
$Value = mysql_real_escape_string($Target);
}
return $Value;
}
Thanks!
-Shawn
Re: [PHP] Re: SQL Injection - Solution
On Thu, May 7, 2009 at 9:41 AM, Igor Escobar titiolin...@gmail.com wrote:
Ok guys, thanks.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Thu, May 7, 2009 at 7:32 AM, Jan G.B. ro0ot.w...@googlemail.com wrote:
What about declare, cast, unhex, exec etc.?
You Replace everything with isn't so good, I believe. Others
mentiond it before, that *, =, select, from ETC. are valid words and
characters in an other context.
Anayse some attacks before trying to defend them. Injections can be
heavily db-dependent, so filtering the common words might not be so
insightful.
If you really want to go the filter approach, then check out this
project and learn from them. ;)
http://php-ids.org/
byebye
2009/5/6 Igor Escobar titiolin...@gmail.com:
Yeah yeah, i understood that, but, the point is... i sad previously, my
function is not tied to any database.
Is a generic function, i dont know who be use this, so i don't know, what
is
your data base so, i can't use functions like mysql_real_scape_string
etc...
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 3:00 PM, Bruno Fajardo bsfaja...@gmail.com
wrote:
2009/5/6 Igor Escobar titiolin...@gmail.com:
hun...by the way I forgot to mention, I am Brazilian and here in
Brazil
these words are not common ...
Igor,
I'm brazilian too, but that is not the point. Deny the use of *any*
word as input in your app is unnecessary. The problem that you're
trying to solve, has been solved a long time ago.
Bruno.
That is a recursive function and i can use array_map becouse i some
cases
we
obtain arrays of arrays and that will generate a error.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie nos...@mckenzies.net
wrote:
Igor Escobar wrote:
Hunnn...
So, what do you think now?
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
TABLE','SHOW TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
addslashes(str_ireplace(trim($sanitizeRules,,$value))) :
str_ireplace(trim($sanitizeRules,,$value));
endif;
endforeach;
return $arraSanitized;
}
Stay on list please. I don't like the ternary or the brace omissions
(alternate syntax) :-) however
My point was that in my opinion you don't need the replace at all.
Also, do you really want to strip all 'or', * and = from all fields?
These may be perfectly valid in your app. Or is a very, very common
word, so is from and come to think of it, where, select, insert and
delete.
For any of the SQL injections to work in your query, there will need
to
be quotes or the backtick ` in the user supplied content. The quotes
are escaped by mysql_real_escape_string().
I don't see any way for a SQL injection without the user input
containing quotes or the backtick to break out of your query or
prematurely terminate an expression. Some examples here, however
they
don't mention the backtick:
http://us2.php.net/manual/en/security.database.sql-injection.php
This might be more useful:
||function _antiSqlInjection($Target)
{
if(is_array($Target)) {
$Value = array_map('_antiSqlInjection', $Target);
} else {
if(get_magic_quotes_gpc()) {
$Target = stripslashes($Target);
}
// replace backtick with single quote or whatever
$Target = str_replace(`, ', $Target);
$Value = mysql_real_escape_string($Target);
}
return $Value;
}
Thanks!
-Shawn
Use prepared statements. All your problems go away. Look at mysqli/PDO.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Eric Butera wrote:
On Thu, May 7, 2009 at 9:41 AM, Igor Escobar titiolin...@gmail.com wrote:
Ok guys, thanks.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Thu, May 7, 2009 at 7:32 AM, Jan G.B. ro0ot.w...@googlemail.com wrote:
What about declare, cast, unhex, exec etc.?
You Replace everything with isn't so good, I believe. Others
mentiond it before, that *, =, select, from ETC. are valid words and
characters in an other context.
Anayse some attacks before trying to defend them. Injections can be
heavily db-dependent, so filtering the common words might not be so
insightful.
If you really want to go the filter approach, then check out this
project and learn from them. ;)
http://php-ids.org/
byebye
2009/5/6 Igor Escobar titiolin...@gmail.com:
Yeah yeah, i understood that, but, the point is... i sad previously, my
function is not tied to any database.
Is a generic function, i dont know who be use this, so i don't know, what
is
your data base so, i can't use functions like mysql_real_scape_string
etc...
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 3:00 PM, Bruno Fajardo bsfaja...@gmail.com
wrote:
2009/5/6 Igor Escobar titiolin...@gmail.com:
hun...by the way I forgot to mention, I am Brazilian and here in
Brazil
these words are not common ...
Igor,
I'm brazilian too, but that is not the point. Deny the use of *any*
word as input in your app is unnecessary. The problem that you're
trying to solve, has been solved a long time ago.
Bruno.
That is a recursive function and i can use array_map becouse i some
cases
we
obtain arrays of arrays and that will generate a error.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie nos...@mckenzies.net
wrote:
Igor Escobar wrote:
Hunnn...
So, what do you think now?
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
TABLE','SHOW TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
addslashes(str_ireplace(trim($sanitizeRules,,$value))) :
str_ireplace(trim($sanitizeRules,,$value));
endif;
endforeach;
return $arraSanitized;
}
Stay on list please. I don't like the ternary or the brace omissions
(alternate syntax) :-) however
My point was that in my opinion you don't need the replace at all.
Also, do you really want to strip all 'or', * and = from all fields?
These may be perfectly valid in your app. Or is a very, very common
word, so is from and come to think of it, where, select, insert and
delete.
For any of the SQL injections to work in your query, there will need
to
be quotes or the backtick ` in the user supplied content. The quotes
are escaped by mysql_real_escape_string().
I don't see any way for a SQL injection without the user input
containing quotes or the backtick to break out of your query or
prematurely terminate an expression. Some examples here, however
they
don't mention the backtick:
http://us2.php.net/manual/en/security.database.sql-injection.php
This might be more useful:
||function _antiSqlInjection($Target)
{
if(is_array($Target)) {
$Value = array_map('_antiSqlInjection', $Target);
} else {
if(get_magic_quotes_gpc()) {
$Target = stripslashes($Target);
}
// replace backtick with single quote or whatever
$Target = str_replace(`, ', $Target);
$Value = mysql_real_escape_string($Target);
}
return $Value;
}
Thanks!
-Shawn
Use prepared statements. All your problems go away. Look at mysqli/PDO.
RTFP! ;-)
He has no idea what DB will be used.
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
On Thu, May 7, 2009 at 4:28 PM, Shawn McKenzie nos...@mckenzies.net wrote: RTFP! ;-) He has no idea what DB will be used. Wouldn't that be a better argument -for- using PDO? :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: SQL Injection - Solution
Igor Escobar wrote:
Hi folks,
Someone know how i can improve this function to protect my envairounment
vars of sql injection attacks.
that is the function i use to do this, but, some people think is not enough:
* @uses $_REQUEST= _antiSqlInjection($_REQUEST);
* @uses $_POST = _antiSqlInjection($_POST);
* @uses $_GET = _antiSqlInjection($_GET);
*
* @author Igor Escobar
* @email blog [at] igorescobar [dot] com
*
*/
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM,'SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW
TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] =
addslashes(strip_tags(trim(str_replace($sanitizeRules,,$value;
endif;
endforeach;
return $arraSanitized;
}
You can help me to improve them?
Just at first glance, if you're going to use this type of function you
should at least use str_ireplace(). 'drop table' works just as well as
'DROP TABLE'. Also, you might want to use mysql_real_escape_string() or
similar for your DB (if you have a connection). Or you can skip the
slash stuff until the actual query. This may negate the need for your
replace, as quotes are normally needed to get the SQL commands to work
in your query anyway.
Finally, if magic_quotes are on you'll end up with multiple slashes in
your code as it is and if you changed the addslashes() to
mysql_real_escape_string(). Normally this is good:
if(get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
$arraSanitized[$key] = mysql_real_escape_string($value);
I also think strip_tags() or htmlentities() belongs more in a display
filter.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Igor Escobar wrote:
Hunnn...
So, what do you think now?
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
TABLE','SHOW TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
addslashes(str_ireplace(trim($sanitizeRules,,$value))) :
str_ireplace(trim($sanitizeRules,,$value));
endif;
endforeach;
return $arraSanitized;
}
Stay on list please. I don't like the ternary or the brace omissions
(alternate syntax) :-) however
My point was that in my opinion you don't need the replace at all.
Also, do you really want to strip all 'or', * and = from all fields?
These may be perfectly valid in your app. Or is a very, very common
word, so is from and come to think of it, where, select, insert and delete.
For any of the SQL injections to work in your query, there will need to
be quotes or the backtick ` in the user supplied content. The quotes
are escaped by mysql_real_escape_string().
I don't see any way for a SQL injection without the user input
containing quotes or the backtick to break out of your query or
prematurely terminate an expression. Some examples here, however they
don't mention the backtick:
http://us2.php.net/manual/en/security.database.sql-injection.php
This might be more useful:
||function _antiSqlInjection($Target)
{
if(is_array($Target)) {
$Value = array_map('_antiSqlInjection', $Target);
} else {
if(get_magic_quotes_gpc()) {
$Target = stripslashes($Target);
}
// replace backtick with single quote or whatever
$Target = str_replace(`, ', $Target);
$Value = mysql_real_escape_string($Target);
}
return $Value;
}
Thanks!
-Shawn
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
hun...by the way I forgot to mention, I am Brazilian and here in Brazil
these words are not common ...
That is a recursive function and i can use array_map becouse i some cases we
obtain arrays of arrays and that will generate a error.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie nos...@mckenzies.net wrote:
Igor Escobar wrote:
Hunnn...
So, what do you think now?
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
TABLE','SHOW TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
addslashes(str_ireplace(trim($sanitizeRules,,$value))) :
str_ireplace(trim($sanitizeRules,,$value));
endif;
endforeach;
return $arraSanitized;
}
Stay on list please. I don't like the ternary or the brace omissions
(alternate syntax) :-) however
My point was that in my opinion you don't need the replace at all.
Also, do you really want to strip all 'or', * and = from all fields?
These may be perfectly valid in your app. Or is a very, very common
word, so is from and come to think of it, where, select, insert and delete.
For any of the SQL injections to work in your query, there will need to
be quotes or the backtick ` in the user supplied content. The quotes
are escaped by mysql_real_escape_string().
I don't see any way for a SQL injection without the user input
containing quotes or the backtick to break out of your query or
prematurely terminate an expression. Some examples here, however they
don't mention the backtick:
http://us2.php.net/manual/en/security.database.sql-injection.php
This might be more useful:
||function _antiSqlInjection($Target)
{
if(is_array($Target)) {
$Value = array_map('_antiSqlInjection', $Target);
} else {
if(get_magic_quotes_gpc()) {
$Target = stripslashes($Target);
}
// replace backtick with single quote or whatever
$Target = str_replace(`, ', $Target);
$Value = mysql_real_escape_string($Target);
}
return $Value;
}
Thanks!
-Shawn
Re: [PHP] Re: SQL Injection - Solution
Now i realize... i sent only to the Shawn the modified functions... here
goes:
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW
TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
addslashes(str_ireplace(trim($sanitizeRules,,$value))) :
str_ireplace(trim($sanitizeRules,,$value));
endif;
endforeach;
return $arraSanitized;
}
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 2:55 PM, Igor Escobar titiolin...@gmail.com wrote:
hun...by the way I forgot to mention, I am Brazilian and here in Brazil
these words are not common ...
That is a recursive function and i can use array_map becouse i some cases
we obtain arrays of arrays and that will generate a error.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie nos...@mckenzies.netwrote:
Igor Escobar wrote:
Hunnn...
So, what do you think now?
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
TABLE','SHOW TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
addslashes(str_ireplace(trim($sanitizeRules,,$value))) :
str_ireplace(trim($sanitizeRules,,$value));
endif;
endforeach;
return $arraSanitized;
}
Stay on list please. I don't like the ternary or the brace omissions
(alternate syntax) :-) however
My point was that in my opinion you don't need the replace at all.
Also, do you really want to strip all 'or', * and = from all fields?
These may be perfectly valid in your app. Or is a very, very common
word, so is from and come to think of it, where, select, insert and
delete.
For any of the SQL injections to work in your query, there will need to
be quotes or the backtick ` in the user supplied content. The quotes
are escaped by mysql_real_escape_string().
I don't see any way for a SQL injection without the user input
containing quotes or the backtick to break out of your query or
prematurely terminate an expression. Some examples here, however they
don't mention the backtick:
http://us2.php.net/manual/en/security.database.sql-injection.php
This might be more useful:
||function _antiSqlInjection($Target)
{
if(is_array($Target)) {
$Value = array_map('_antiSqlInjection', $Target);
} else {
if(get_magic_quotes_gpc()) {
$Target = stripslashes($Target);
}
// replace backtick with single quote or whatever
$Target = str_replace(`, ', $Target);
$Value = mysql_real_escape_string($Target);
}
return $Value;
}
Thanks!
-Shawn
Re: [PHP] Re: SQL Injection - Solution
2009/5/6 Igor Escobar titiolin...@gmail.com:
hun...by the way I forgot to mention, I am Brazilian and here in Brazil
these words are not common ...
Igor,
I'm brazilian too, but that is not the point. Deny the use of *any*
word as input in your app is unnecessary. The problem that you're
trying to solve, has been solved a long time ago.
Bruno.
That is a recursive function and i can use array_map becouse i some cases we
obtain arrays of arrays and that will generate a error.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie nos...@mckenzies.net wrote:
Igor Escobar wrote:
Hunnn...
So, what do you think now?
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
TABLE','SHOW TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
addslashes(str_ireplace(trim($sanitizeRules,,$value))) :
str_ireplace(trim($sanitizeRules,,$value));
endif;
endforeach;
return $arraSanitized;
}
Stay on list please. I don't like the ternary or the brace omissions
(alternate syntax) :-) however
My point was that in my opinion you don't need the replace at all.
Also, do you really want to strip all 'or', * and = from all fields?
These may be perfectly valid in your app. Or is a very, very common
word, so is from and come to think of it, where, select, insert and delete.
For any of the SQL injections to work in your query, there will need to
be quotes or the backtick ` in the user supplied content. The quotes
are escaped by mysql_real_escape_string().
I don't see any way for a SQL injection without the user input
containing quotes or the backtick to break out of your query or
prematurely terminate an expression. Some examples here, however they
don't mention the backtick:
http://us2.php.net/manual/en/security.database.sql-injection.php
This might be more useful:
||function _antiSqlInjection($Target)
{
if(is_array($Target)) {
$Value = array_map('_antiSqlInjection', $Target);
} else {
if(get_magic_quotes_gpc()) {
$Target = stripslashes($Target);
}
// replace backtick with single quote or whatever
$Target = str_replace(`, ', $Target);
$Value = mysql_real_escape_string($Target);
}
return $Value;
}
Thanks!
-Shawn
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Yeah yeah, i understood that, but, the point is... i sad previously, my
function is not tied to any database.
Is a generic function, i dont know who be use this, so i don't know, what is
your data base so, i can't use functions like mysql_real_scape_string etc...
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 3:00 PM, Bruno Fajardo bsfaja...@gmail.com wrote:
2009/5/6 Igor Escobar titiolin...@gmail.com:
hun...by the way I forgot to mention, I am Brazilian and here in
Brazil
these words are not common ...
Igor,
I'm brazilian too, but that is not the point. Deny the use of *any*
word as input in your app is unnecessary. The problem that you're
trying to solve, has been solved a long time ago.
Bruno.
That is a recursive function and i can use array_map becouse i some cases
we
obtain arrays of arrays and that will generate a error.
Regards,
Igor Escobar
Systems Analyst Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie nos...@mckenzies.net
wrote:
Igor Escobar wrote:
Hunnn...
So, what do you think now?
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
TABLE','SHOW TABLES','*','--','=');
foreach($Target as $key = $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
addslashes(str_ireplace(trim($sanitizeRules,,$value))) :
str_ireplace(trim($sanitizeRules,,$value));
endif;
endforeach;
return $arraSanitized;
}
Stay on list please. I don't like the ternary or the brace omissions
(alternate syntax) :-) however
My point was that in my opinion you don't need the replace at all.
Also, do you really want to strip all 'or', * and = from all fields?
These may be perfectly valid in your app. Or is a very, very common
word, so is from and come to think of it, where, select, insert and
delete.
For any of the SQL injections to work in your query, there will need to
be quotes or the backtick ` in the user supplied content. The quotes
are escaped by mysql_real_escape_string().
I don't see any way for a SQL injection without the user input
containing quotes or the backtick to break out of your query or
prematurely terminate an expression. Some examples here, however they
don't mention the backtick:
http://us2.php.net/manual/en/security.database.sql-injection.php
This might be more useful:
||function _antiSqlInjection($Target)
{
if(is_array($Target)) {
$Value = array_map('_antiSqlInjection', $Target);
} else {
if(get_magic_quotes_gpc()) {
$Target = stripslashes($Target);
}
// replace backtick with single quote or whatever
$Target = str_replace(`, ', $Target);
$Value = mysql_real_escape_string($Target);
}
return $Value;
}
Thanks!
-Shawn
Re: [PHP] Re: SQL Injection - Solution
Igor Escobar wrote:
hun...by the way I forgot to mention, I am Brazilian and here in Brazil
these words are not common ...
Yes, but you can reuse your function even if you start accepting english
posts/comments, etc. You don't want this function to be specific to
your app or data because it isn't extensible or portable. Also, I
suspect that there are some words in portuguese that contain or,
which would be removed.
That is a recursive function and i can use array_map becouse i some cases we
obtain arrays of arrays and that will generate a error.
Yes, it is recursive, so that it works on arrays of arrays :-) No error
that I have seen.
$_GET = array(
'test' = 'some stuff here',
'test_array' = array('aa','b`b',array('xx','y`y','z'))
);
print_r(_antiSqlInjection($_GET));
Array
(
[test] = some stuff \here\
[test_array] = Array
(
[0] = a\a
[1] = b\'b
[2] = Array
(
[0] = x\x
[1] = y\'y
[2] = z
)
)
)
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Igor Escobar wrote: Yeah yeah, i understood that, but, the point is... i sad previously, my function is not tied to any database. Is a generic function, i dont know who be use this, so i don't know, what is your data base so, i can't use functions like mysql_real_scape_string etc... Then the best you can do is replace mysql_real_scape_string() with addslashes() or possibly addcslashes() and build your own list. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Please reply all. Do you test with associative arrays? Yes. Array ( [test] = some stuff \here\ [test_array] = Array ( [a] = a\a [0] = b\'b [c] = Array ( [x] = x\x [0] = y\'y [1] = z ) ) ) Thanks! -Shawn -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
On Wed, May 6, 2009 at 2:25 PM, Shawn McKenzie nos...@mckenzies.net wrote: Igor Escobar wrote: Yeah yeah, i understood that, but, the point is... i sad previously, my function is not tied to any database. Is a generic function, i dont know who be use this, so i don't know, what is your data base so, i can't use functions like mysql_real_scape_string etc... Then the best you can do is replace mysql_real_scape_string() with addslashes() or possibly addcslashes() and build your own list. You can't just use addslashes() or addcslashes(). You have to know what database you are using because the escape sequences are different. In MySQL, single quote characters are escaped by a backslash. In SQL Server, they are escaped by doubling them. There are a lot of libraries available that already do this. If someone wants to write yet another one, it would probably be worthwhile to dissect some of those existing libraries to see how they handle work under the hood. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: SQL Injection - Solution
Andrew Ballard wrote: On Wed, May 6, 2009 at 2:25 PM, Shawn McKenzie nos...@mckenzies.net wrote: Igor Escobar wrote: Yeah yeah, i understood that, but, the point is... i sad previously, my function is not tied to any database. Is a generic function, i dont know who be use this, so i don't know, what is your data base so, i can't use functions like mysql_real_scape_string etc... Then the best you can do is replace mysql_real_scape_string() with addslashes() or possibly addcslashes() and build your own list. You can't just use addslashes() or addcslashes(). You have to know what database you are using because the escape sequences are different. In MySQL, single quote characters are escaped by a backslash. In SQL Server, they are escaped by doubling them. There are a lot of libraries available that already do this. If someone wants to write yet another one, it would probably be worthwhile to dissect some of those existing libraries to see how they handle work under the hood. Andrew Good points. I haven't had much experience with any DB other than mysql or sqlite. Without knowing the DB, you'll either need to use one of these libraries or convert the chars to something else like html entities. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
