Re: SQL Injection - Solution

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Igor Escobar wrote:
> Hi folks,
> Someone know how i can improve this function to protect my envairounment
> vars of sql injection attacks.
> 
> that is the function i use to do this, but, some people think is not enough:
> 
>  * @uses $_REQUEST= _antiSqlInjection($_REQUEST);
>  * @uses $_POST = _antiSqlInjection($_POST);
>  * @uses $_GET = _antiSqlInjection($_GET);
>  *
>  * @author Igor Escobar
>  * @email blog [at] igorescobar [dot] com
>  *
>  */
> 
> function _antiSqlInjection($Target){
> 	$sanitizeRules =
> array('OR','FROM,'SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW
> TABLES','*','--','=');
> 	foreach($Target as $key => $value):
> 		if(is_array($value)): $arraSanitized[$key] = _antiSqlInjection($value);
> 		else:
> 			$arraSanitized[$key] =
> addslashes(strip_tags(trim(str_replace($sanitizeRules,"",$value))));
> 		endif;
> 	endforeach;
> 	return $arraSanitized;
> 
> 
> }
> 
> You can help me to improve them?
> 

Just at first glance, if you're going to use this type of function you
should at least use str_ireplace().  'drop table' works just as well as
'DROP TABLE'.  Also, you might want to use mysql_real_escape_string() or
similar for your DB (if you have a connection).  Or you can skip the
slash stuff until the actual query.  This may negate the need for your
replace, as quotes are normally needed to get the SQL commands to work
in your query anyway.

Finally, if magic_quotes are on you'll end up with multiple slashes in
your code as it is and if you changed the addslashes() to
mysql_real_escape_string().  Normally this is good:

if(get_magic_quotes_gpc()) {
    $value = stripslashes($value);
}
$arraSanitized[$key] = mysql_real_escape_string($value);

I also think strip_tags() or htmlentities() belongs more in a display
filter.

> 
> Regards,
> Igor Escobar
> Systems Analyst & Interface Designer
> 
> --
> 
> Personal Blog
> ~ blog.igorescobar.com
> Online Portifolio
> ~ www.igorescobar.com
> Twitter
> ~ @igorescobar
> 

-- 
Thanks!
-Shawn
http://www.spidean.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux