PHP SQL injections?

[Archbob]

Hi,
I've been using this at the top of files for a long time to escape sql injections with cookies, post variables, and get variables but lately I've begun to doubt its effectiveness:

Code:

if(!get_magic_quotes_gpc())
{
  $_GET = array_map('mysql_real_escape_string', $_GET); 
  $_POST = array_map('mysql_real_escape_string', $_POST); 
  $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}
else
{  
   $_GET = array_map('stripslashes', $_GET); 
   $_POST = array_map('stripslashes', $_POST); 
   $_COOKIE = array_map('stripslashes', $_COOKIE);
   $_GET = array_map('mysql_real_escape_string', $_GET); 
   $_POST = array_map('mysql_real_escape_string', $_POST); 
   $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
}

That should cover everything, whether magic quotes is turned on or not. But do you guys see a way to improve it?

I'm using the latest version of PHP 4.

[php_daemon]

Why did you start to doubt it? Where there any successful attack attempts? Other than that you're affecting the initial data, it's OK.

[Archbob]

I think I'm having trouble with people registered blank names, even though I have this statement in the code also:

Code:

if(strlen($name)<1)
{
die("You did not enter a name");
}

I also have code checking for spaces and I use the strip_tags() function but somehow there was 1 case where someone somehow registered a blank name.

[php_daemon]

Use trim() before strlen(), they might have inputted a space character. Also consider using regular expressions to define stricter rules on what characters are allowed.

[AlienDev]

Heres a bit of a register script I made for my own CMS I use on all my sites:

PHP Code:

// too long?
if ((strlen ($username || $password) > 20) || (strlen ($email) > 50)) {
$error=true;
$error_message[]='Your username, password or email address is too long.';
} 


Replace the middle 2 lines with however it is you deal with errors. At the end of my register script I use

PHP Code:

if ($error) {
do the correct stuff
} else {
handle_errors($error_message[]);
} 


[SLTP_Spencer]

You should really put people trying to register names through a preg check:

PHP Code:

if (preg_match("^[A-Za-z0-9]+$", "$username"))
{
echo 'good name';
}
else
{
echo 'bad name';
} 


Means they can only use alphanumerics.

Or if you want to allow spaces, but not at the end or beginning:

PHP Code:

if (preg_match("^[A-Za-z0-9]+[A-Za-z0-9 _-]{0,1}[A-Za-z0-9]+$", "$username"))
{
echo 'good name';
}
else
{
echo 'bad name';
} 


That will allow a username made up of alphanumerics, but with 1 space, underscore, or hyphen in the middle somewhere.
So the following names would work:
"Billy-Bob"
"0139 Noob"
"Hack_saw"
"Nospaces"

but these names wont work
" spaces "
"i love men"
"admin "
"#%()&%"

If you then check logins for the same pattern, sql injection attacks are impossible (as far as I know).

[Archbob]

I think mysql_real_escape_string handles mysql injections? No?

[php_daemon]

I think mysql_real_escape_string handles mysql injections? No?

Yes, it does. However, it is common sense to limit the characters your members can use for the usernames or validate the emails they enter, etc. In other words, make your application more fool proof.

[SLTP_Spencer]

Yes, it does. However, it is common sense to limit the characters your members can use for the usernames or validate the emails they enter, etc. In other words, make your application more fool proof.

Plus, who wants to see people with names like ~~>IAMTHEMAN<~~ or ( . Y . )?

[Archbob]

Plus, who wants to see people with names like ~~>IAMTHEMAN<~~ or ( . Y . )?

That makes sense.

[AlienDev]

Plus, who wants to see people with names like ~~>IAMTHEMAN<~~ or ( . Y . )?

I do!!! Because then I can change it to "IAMTHEWOMAN"