SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Guru afridy's Avatar
    Join Date
    Mar 2007
    Posts
    960
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    SQL Injection related question

    Hai folks,

    every piece of user input (ex. login) will have to go through the below two functions in my project.
    how good these functions are against an sql injection?

    Code:
    <?php
    
    function filter($str){
    
    	$str=strip_tags($str);
    	$str=mysql_real_escape_string($str);
    	
    	return $str;
    }
    Code:
    function compare($str){
    	
    	$arr = array 
    	("select","union","order","by","update","drop","use","group","by","insert","load_file","into","in","to","outfile","having","substr","hex","unhex","where","--","/","\'","\"");
    	
    	for($i=0;$i<sizeof($arr);$i++){
    		 $q=strpos(strtolower($str),$arr[$i]);
    		 if($q!==false){
    			return true;
    			exit;
    		 }
    	}
    	return false;
    }
    ?>

  2. #2
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    Posts
    9,396
    Mentioned
    147 Post(s)
    Tagged
    4 Thread(s)
    1) mysql_real_escape_string will only prevent sql injection in case of string values (that is, variables you put between quotes in your query). In a case like this, it won't help:
    PHP Code:
    // user input: $_POST['id'] = '2 OR 1 = 1'
    $id mysql_real_escape_string($_POST['id']);
    $query '
      SELECT *
      FROM tablename
      WHERE id = $id
    '

    If you echo the value of $query, it'll be
    Code:
    SELECT *
    FROM tablename
    WHERE id = 2 OR 1 = 1
    So you'll have to distinguish between alphanumeric and numeric values, and sanitize accordingly.

    2) For the second function, you might want to look into foreach and in_array

  3. #3
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,747
    Mentioned
    64 Post(s)
    Tagged
    0 Thread(s)
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  4. #4
    SitePoint Guru afridy's Avatar
    Join Date
    Mar 2007
    Posts
    960
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thanks guido and StarLion for the suggessions.

  5. #5
    SitePoint Wizard lorenw's Avatar
    Join Date
    Feb 2005
    Location
    was rainy Oregon now sunny Florida
    Posts
    1,094
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    OT SQL injection is only part of it, check out http://htmlpurifier.org/
    What I lack in acuracy I make up for in misteaks

  6. #6
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    8,891
    Mentioned
    138 Post(s)
    Tagged
    2 Thread(s)
    1) ^ what they said
    2) Seems a bit over the top and missing the point. What if really want the word "update" or "select" in my text? They are not really uncommon words, but your function would stop me from using them. I'd do away with that function.
    Rémon - Hosting Advisor

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  7. #7
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,595
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    If you use PREPARE/BIND then the query and data are kept completely separate and SQL injection is therefore impossible.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  8. #8
    SitePoint Addict kduv's Avatar
    Join Date
    May 2012
    Location
    Maui, HI
    Posts
    211
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    What felgall said. I would avoid using the standard MySQL library and go with either PDO or MySQLi so you can use prepared statements.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •