Igor Escobar wrote:
> Hunnn...
>
> So, what do you think now?
>
> function _antiSqlInjection($Target){
> $sanitizeRules =
> array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
> TABLE','SHOW TABLES','*','--','=');
> foreach($Target as $key => $value):
> if(is_array($value)): $arraSanitized[$key] =
> _antiSqlInjection($value);
> else:
> $arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
> addslashes(str_ireplace(trim($sanitizeRules,"",$value))) :
> str_ireplace(trim($sanitizeRules,"",$value));
> endif;
> endforeach;
> return $arraSanitized;
> }
>
Stay on list please. I don't like the ternary or the brace omissions
(alternate syntax) :-) however....
My point was that in my opinion you don't need the replace at all.
Also, do you really want to strip all 'or', * and = from all fields?
These may be perfectly valid in your app. Or is a very, very common
word, so is from and come to think of it, where, select, insert and delete.
For any of the SQL injections to work in your query, there will need to
be quotes or the backtick ` in the user supplied content. The quotes
are escaped by mysql_real_escape_string().
I don't see any way for a SQL injection without the user input
containing quotes or the backtick to break out of your query or
prematurely terminate an expression. Some examples here, however they
don't mention the backtick:
http://us2.php.net/manual/en/security.database.sql-injection.php
This might be more useful:
||||||function _antiSqlInjection($Target)
{
if(is_array($Target)) {
$Value = array_map('_antiSqlInjection', $Target);
} else {
if(get_magic_quotes_gpc()) {
$Target = stripslashes($Target);
}
// replace backtick with single quote or whatever
$Target = str_replace("`", "'", $Target);
$Value = mysql_real_escape_string($Target);
}
return $Value;
}
Thanks!
-Shawn
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
