Re: [PHP] SQL Injection - Solution
mysql_escape_string can be used instead. You just lose the ability to
have it match coallation. I still think there should be the
mysql_escape_string or real one and allow it to pass the coallation
without a database handle -or- just make a unicode/utf8 one and be
done with it.
On May 6, 2009, at 9:40 AM, Igor Escobar wrote:
I know that use the mysql_real_escape_string to do de job is better
but you
should consider that the this function don't have any access to the
data
base, to objective of this function is sanitize the string.
And please, see my second answer, i make some updates in the
function that
possibly is relevant.
Regards,
Igor Escobar
Systems Analyst & Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 1:14 PM, Andrew Ballard
wrote:
On Wed, May 6, 2009 at 12:06 PM, Bruno Fajardo
wrote:
Hi there!
2009/5/6 Igor Escobar
Hi folks,
Someone know how i can improve this function to protect my
envairounment
vars of sql injection attacks.
that is the function i use to do this, but, some people think is
not
enough:
* @uses $_REQUEST= _antiSqlInjection($_REQUEST);
* @uses $_POST = _antiSqlInjection($_POST);
* @uses $_GET = _antiSqlInjection($_GET);
*
* @author Igor Escobar
* @email blog [at] igorescobar [dot] com
*
*/
function _antiSqlInjection($Target){
$sanitizeRules =
array('OR','FROM,'SELECT','INSERT','DELETE','WHERE','DROP
TABLE','SHOW
TABLES','*','--','=');
foreach($Target as $key => $value):
if(is_array($value)): $arraSanitized[$key] =
_antiSqlInjection($value);
else:
$arraSanitized[$key] =
addslashes(strip_tags(trim(str_replace($sanitizeRules,"",
$value;
endif;
endforeach;
return $arraSanitized;
}
You can help me to improve them?
What if someone posts, in any form of your app, a message containing
"or", "from" or "where"? Those are very common words, and eliminate
them is not the best solution, IMO.
Use mysql_real_escape_string() like Shawn said, possibly something
like this would do the trick (from
http://br2.php.net/manual/en/function.mysql-query.php):
$query = sprintf("SELECT firstname, lastname, address, age FROM
friends WHERE firstname='%s' AND lastname='%s'",
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));
Cheers,
Bruno.
+1
I would stick with parameterized queries if available, or just use
mysql_real_escape_string() for these and a few more reasons:
1) You'll find lots of posts in the archives explaining why
mysql_real_escape_string() is preferred over addslashes() for this
purpose.
2) strip_tags has absolutely nothing to do with SQL injection.
Neither
does trim(). There are cases where you would not want to use either
of
those functions on input, but you would still need to guard against
injection.
3) DROP TABLE will work no matter how many white-space characters
appeared between the words. For that matter, I am pretty sure that
'DROP /* some bogus SQL comment to make it past your filter */ TABLE'
will work also.
Andrew
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection - Solution
I know that use the mysql_real_escape_string to do de job is better but you
should consider that the this function don't have any access to the data
base, to objective of this function is sanitize the string.
And please, see my second answer, i make some updates in the function that
possibly is relevant.
Regards,
Igor Escobar
Systems Analyst & Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 1:14 PM, Andrew Ballard wrote:
> On Wed, May 6, 2009 at 12:06 PM, Bruno Fajardo
> wrote:
> > Hi there!
> >
> > 2009/5/6 Igor Escobar
> >>
> >> Hi folks,
> >> Someone know how i can improve this function to protect my envairounment
> >> vars of sql injection attacks.
> >>
> >> that is the function i use to do this, but, some people think is not
> enough:
> >>
> >> * @uses $_REQUEST= _antiSqlInjection($_REQUEST);
> >> * @uses $_POST = _antiSqlInjection($_POST);
> >> * @uses $_GET = _antiSqlInjection($_GET);
> >> *
> >> * @author Igor Escobar
> >> * @email blog [at] igorescobar [dot] com
> >> *
> >> */
> >>
> >> function _antiSqlInjection($Target){
> >>$sanitizeRules =
> >> array('OR','FROM,'SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW
> >> TABLES','*','--','=');
> >>foreach($Target as $key => $value):
> >>if(is_array($value)): $arraSanitized[$key] =
> _antiSqlInjection($value);
> >>else:
> >>$arraSanitized[$key] =
> >> addslashes(strip_tags(trim(str_replace($sanitizeRules,"",$value;
> >>endif;
> >>endforeach;
> >>return $arraSanitized;
> >>
> >>
> >> }
> >>
> >> You can help me to improve them?
> >
> > What if someone posts, in any form of your app, a message containing
> > "or", "from" or "where"? Those are very common words, and eliminate
> > them is not the best solution, IMO.
> > Use mysql_real_escape_string() like Shawn said, possibly something
> > like this would do the trick (from
> > http://br2.php.net/manual/en/function.mysql-query.php):
> >
> > $query = sprintf("SELECT firstname, lastname, address, age FROM
> > friends WHERE firstname='%s' AND lastname='%s'",
> > mysql_real_escape_string($firstname),
> > mysql_real_escape_string($lastname));
> >
> > Cheers,
> > Bruno.
>
> +1
>
> I would stick with parameterized queries if available, or just use
> mysql_real_escape_string() for these and a few more reasons:
>
> 1) You'll find lots of posts in the archives explaining why
> mysql_real_escape_string() is preferred over addslashes() for this
> purpose.
>
> 2) strip_tags has absolutely nothing to do with SQL injection. Neither
> does trim(). There are cases where you would not want to use either of
> those functions on input, but you would still need to guard against
> injection.
>
> 3) DROP TABLE will work no matter how many white-space characters
> appeared between the words. For that matter, I am pretty sure that
> 'DROP /* some bogus SQL comment to make it past your filter */ TABLE'
> will work also.
>
>
> Andrew
>
Re: [PHP] SQL Injection - Solution
On Wed, May 6, 2009 at 12:06 PM, Bruno Fajardo wrote:
> Hi there!
>
> 2009/5/6 Igor Escobar
>>
>> Hi folks,
>> Someone know how i can improve this function to protect my envairounment
>> vars of sql injection attacks.
>>
>> that is the function i use to do this, but, some people think is not enough:
>>
>> * @uses $_REQUEST= _antiSqlInjection($_REQUEST);
>> * @uses $_POST = _antiSqlInjection($_POST);
>> * @uses $_GET = _antiSqlInjection($_GET);
>> *
>> * @author Igor Escobar
>> * @email blog [at] igorescobar [dot] com
>> *
>> */
>>
>> function _antiSqlInjection($Target){
>> $sanitizeRules =
>> array('OR','FROM,'SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW
>> TABLES','*','--','=');
>> foreach($Target as $key => $value):
>> if(is_array($value)): $arraSanitized[$key] =
>> _antiSqlInjection($value);
>> else:
>> $arraSanitized[$key] =
>> addslashes(strip_tags(trim(str_replace($sanitizeRules,"",$value;
>> endif;
>> endforeach;
>> return $arraSanitized;
>>
>>
>> }
>>
>> You can help me to improve them?
>
> What if someone posts, in any form of your app, a message containing
> "or", "from" or "where"? Those are very common words, and eliminate
> them is not the best solution, IMO.
> Use mysql_real_escape_string() like Shawn said, possibly something
> like this would do the trick (from
> http://br2.php.net/manual/en/function.mysql-query.php):
>
> $query = sprintf("SELECT firstname, lastname, address, age FROM
> friends WHERE firstname='%s' AND lastname='%s'",
> mysql_real_escape_string($firstname),
> mysql_real_escape_string($lastname));
>
> Cheers,
> Bruno.
+1
I would stick with parameterized queries if available, or just use
mysql_real_escape_string() for these and a few more reasons:
1) You'll find lots of posts in the archives explaining why
mysql_real_escape_string() is preferred over addslashes() for this
purpose.
2) strip_tags has absolutely nothing to do with SQL injection. Neither
does trim(). There are cases where you would not want to use either of
those functions on input, but you would still need to guard against
injection.
3) DROP TABLE will work no matter how many white-space characters
appeared between the words. For that matter, I am pretty sure that
'DROP /* some bogus SQL comment to make it past your filter */ TABLE'
will work also.
Andrew
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection - Solution
Hi there!
2009/5/6 Igor Escobar
>
> Hi folks,
> Someone know how i can improve this function to protect my envairounment
> vars of sql injection attacks.
>
> that is the function i use to do this, but, some people think is not enough:
>
> * @uses $_REQUEST= _antiSqlInjection($_REQUEST);
> * @uses $_POST = _antiSqlInjection($_POST);
> * @uses $_GET = _antiSqlInjection($_GET);
> *
> * @author Igor Escobar
> * @email blog [at] igorescobar [dot] com
> *
> */
>
> function _antiSqlInjection($Target){
> $sanitizeRules =
> array('OR','FROM,'SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW
> TABLES','*','--','=');
> foreach($Target as $key => $value):
> if(is_array($value)): $arraSanitized[$key] =
> _antiSqlInjection($value);
> else:
> $arraSanitized[$key] =
> addslashes(strip_tags(trim(str_replace($sanitizeRules,"",$value;
> endif;
> endforeach;
> return $arraSanitized;
>
>
> }
>
> You can help me to improve them?
What if someone posts, in any form of your app, a message containing
"or", "from" or "where"? Those are very common words, and eliminate
them is not the best solution, IMO.
Use mysql_real_escape_string() like Shawn said, possibly something
like this would do the trick (from
http://br2.php.net/manual/en/function.mysql-query.php):
$query = sprintf("SELECT firstname, lastname, address, age FROM
friends WHERE firstname='%s' AND lastname='%s'",
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));
Cheers,
Bruno.
>
>
>
> Regards,
> Igor Escobar
> Systems Analyst & Interface Designer
>
> --
>
> Personal Blog
> ~ blog.igorescobar.com
> Online Portifolio
> ~ www.igorescobar.com
> Twitter
> ~ @igorescobar
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
