SitePoint Sponsor

User Tag List

Results 1 to 11 of 11
  1. #1
    Level 8 Chinese guy Archbob's Avatar
    Join Date
    Sep 2001
    Location
    Somewhere in this vast universe
    Posts
    3,732
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PHP SQL injections?

    Hi,
    I've been using this at the top of files for a long time to escape sql injections with cookies, post variables, and get variables but lately I've begun to doubt its effectiveness:

    Code:
    if(!get_magic_quotes_gpc())
    {
      $_GET = array_map('mysql_real_escape_string', $_GET); 
      $_POST = array_map('mysql_real_escape_string', $_POST); 
      $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
    }
    else
    {  
       $_GET = array_map('stripslashes', $_GET); 
       $_POST = array_map('stripslashes', $_POST); 
       $_COOKIE = array_map('stripslashes', $_COOKIE);
       $_GET = array_map('mysql_real_escape_string', $_GET); 
       $_POST = array_map('mysql_real_escape_string', $_POST); 
       $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
    }
    That should cover everything, whether magic quotes is turned on or not. But do you guys see a way to improve it?

    I'm using the latest version of PHP 4.

  2. #2
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Why did you start to doubt it? Where there any successful attack attempts? Other than that you're affecting the initial data, it's OK.
    Saul

  3. #3
    Level 8 Chinese guy Archbob's Avatar
    Join Date
    Sep 2001
    Location
    Somewhere in this vast universe
    Posts
    3,732
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think I'm having trouble with people registered blank names, even though I have this statement in the code also:

    Code:
    if(strlen($name)<1)
    {
    die("You did not enter a name");
    }
    I also have code checking for spaces and I use the strip_tags() function but somehow there was 1 case where someone somehow registered a blank name.

  4. #4
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Use trim() before strlen(), they might have inputted a space character. Also consider using regular expressions to define stricter rules on what characters are allowed.
    Saul

  5. #5
    SitePoint Evangelist AlienDev's Avatar
    Join Date
    Feb 2007
    Location
    UK
    Posts
    591
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Heres a bit of a register script I made for my own CMS I use on all my sites:

    PHP Code:
    // too long?
    if ((strlen ($username || $password) > 20) || (strlen ($email) > 50)) {
    $error=true;
    $error_message[]='Your username, password or email address is too long.';

    Replace the middle 2 lines with however it is you deal with errors. At the end of my register script I use
    PHP Code:
    if ($error) {
    do 
    the correct stuff
    } else {
    handle_errors($error_message[]);


  6. #6
    SitePoint Enthusiast
    Join Date
    Mar 2007
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You should really put people trying to register names through a preg check:

    PHP Code:
    if (preg_match("^[A-Za-z0-9]+$""$username"))
    {
    echo 
    'good name';
    }
    else
    {
    echo 
    'bad name';

    Means they can only use alphanumerics.

    Or if you want to allow spaces, but not at the end or beginning:
    PHP Code:
    if (preg_match("^[A-Za-z0-9]+[A-Za-z0-9 _-]{0,1}[A-Za-z0-9]+$""$username"))
    {
    echo 
    'good name';
    }
    else
    {
    echo 
    'bad name';

    That will allow a username made up of alphanumerics, but with 1 space, underscore, or hyphen in the middle somewhere.
    So the following names would work:
    "Billy-Bob"
    "0139 Noob"
    "Hack_saw"
    "Nospaces"

    but these names wont work
    " spaces "
    "i love men"
    "admin "
    "#&#37;()&%"

    If you then check logins for the same pattern, sql injection attacks are impossible (as far as I know).

  7. #7
    Level 8 Chinese guy Archbob's Avatar
    Join Date
    Sep 2001
    Location
    Somewhere in this vast universe
    Posts
    3,732
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think mysql_real_escape_string handles mysql injections? No?

  8. #8
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Archbob View Post
    I think mysql_real_escape_string handles mysql injections? No?
    Yes, it does. However, it is common sense to limit the characters your members can use for the usernames or validate the emails they enter, etc. In other words, make your application more fool proof.
    Saul

  9. #9
    SitePoint Enthusiast
    Join Date
    Mar 2007
    Posts
    48
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by php_daemon View Post
    Yes, it does. However, it is common sense to limit the characters your members can use for the usernames or validate the emails they enter, etc. In other words, make your application more fool proof.
    Plus, who wants to see people with names like ~~>IAMTHEMAN<~~ or ( . Y . )?

  10. #10
    Level 8 Chinese guy Archbob's Avatar
    Join Date
    Sep 2001
    Location
    Somewhere in this vast universe
    Posts
    3,732
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by SLTP_Spencer View Post
    Plus, who wants to see people with names like ~~>IAMTHEMAN<~~ or ( . Y . )?
    That makes sense.

  11. #11
    SitePoint Evangelist AlienDev's Avatar
    Join Date
    Feb 2007
    Location
    UK
    Posts
    591
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by SLTP_Spencer View Post
    Plus, who wants to see people with names like ~~>IAMTHEMAN<~~ or ( . Y . )?
    I do!!! Because then I can change it to "IAMTHEWOMAN"


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •