SitePoint Sponsor |
|
User Tag List
Results 1 to 11 of 11
Thread: PHP SQL injections?
-
Mar 30, 2007, 08:51 #1
- Join Date
- Sep 2001
- Location
- Somewhere in this vast universe
- Posts
- 3,741
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
PHP SQL injections?
Hi,
I've been using this at the top of files for a long time to escape sql injections with cookies, post variables, and get variables but lately I've begun to doubt its effectiveness:
Code:if(!get_magic_quotes_gpc()) { $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } else { $_GET = array_map('stripslashes', $_GET); $_POST = array_map('stripslashes', $_POST); $_COOKIE = array_map('stripslashes', $_COOKIE); $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); }
I'm using the latest version of PHP 4.
-
Mar 30, 2007, 09:32 #2
Why did you start to doubt it? Where there any successful attack attempts? Other than that you're affecting the initial data, it's OK.
Saul
-
Mar 30, 2007, 10:04 #3
- Join Date
- Sep 2001
- Location
- Somewhere in this vast universe
- Posts
- 3,741
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I think I'm having trouble with people registered blank names, even though I have this statement in the code also:
Code:if(strlen($name)<1) { die("You did not enter a name"); }
-
Mar 30, 2007, 10:14 #4
Use trim() before strlen(), they might have inputted a space character. Also consider using regular expressions to define stricter rules on what characters are allowed.
Saul
-
Mar 30, 2007, 13:48 #5
- Join Date
- Feb 2007
- Location
- UK
- Posts
- 591
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Heres a bit of a register script I made for my own CMS I use on all my sites:
PHP Code:// too long?
if ((strlen ($username || $password) > 20) || (strlen ($email) > 50)) {
$error=true;
$error_message[]='Your username, password or email address is too long.';
}
PHP Code:if ($error) {
do the correct stuff
} else {
handle_errors($error_message[]);
}
-
Mar 30, 2007, 14:40 #6
- Join Date
- Mar 2007
- Posts
- 48
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
You should really put people trying to register names through a preg check:
PHP Code:if (preg_match("^[A-Za-z0-9]+$", "$username"))
{
echo 'good name';
}
else
{
echo 'bad name';
}
Or if you want to allow spaces, but not at the end or beginning:
PHP Code:if (preg_match("^[A-Za-z0-9]+[A-Za-z0-9 _-]{0,1}[A-Za-z0-9]+$", "$username"))
{
echo 'good name';
}
else
{
echo 'bad name';
}
So the following names would work:
"Billy-Bob"
"0139 Noob"
"Hack_saw"
"Nospaces"
but these names wont work
" spaces "
"i love men"
"admin "
"#%()&%"
If you then check logins for the same pattern, sql injection attacks are impossible (as far as I know).
-
Mar 30, 2007, 15:20 #7
- Join Date
- Sep 2001
- Location
- Somewhere in this vast universe
- Posts
- 3,741
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I think mysql_real_escape_string handles mysql injections? No?
-
Mar 30, 2007, 16:28 #8
-
Mar 30, 2007, 16:45 #9
- Join Date
- Mar 2007
- Posts
- 48
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
-
Mar 30, 2007, 17:15 #10
- Join Date
- Sep 2001
- Location
- Somewhere in this vast universe
- Posts
- 3,741
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
-
Mar 31, 2007, 03:56 #11
Bookmarks