Re: Re: SQL Injection - Solution

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

hun...by the way.... I forgot to mention, I am Brazilian and here in Brazil
these words are not common ...

That is a recursive function and i can use array_map becouse i some cases we
obtain arrays of arrays and that will generate a error.


Regards,
Igor Escobar
Systems Analyst & Interface Designer

--

Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar





On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie <nospam@xxxxxxxxxxxxx> wrote:

> Igor Escobar wrote:
> > Hunnn...
> >
> > So, what do you think now?
> >
> > function _antiSqlInjection($Target){
> >     $sanitizeRules =
> > array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
> > TABLE','SHOW TABLES','*','--','=');
> >     foreach($Target as $key => $value):
> >         if(is_array($value)): $arraSanitized[$key] =
> > _antiSqlInjection($value);
> >         else:
> >             $arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
> > addslashes(str_ireplace(trim($sanitizeRules,"",$value))) :
> > str_ireplace(trim($sanitizeRules,"",$value));
> >         endif;
> >     endforeach;
> >     return $arraSanitized;
> > }
> >
> Stay on list please.  I don't like the ternary or the brace omissions
> (alternate syntax) :-) however....
>
> My point was that in my opinion you don't need the replace at all.
> Also, do you really want to strip all 'or', * and = from all fields?
> These may be perfectly valid in your app.  Or is a very, very common
> word, so is from and come to think of it, where, select, insert and delete.
>
> For any of the SQL injections to work in your query, there will need to
> be quotes or the backtick ` in the user supplied content.  The quotes
> are escaped by mysql_real_escape_string().
>
> I don't see any way for a SQL injection without the user input
> containing quotes or the backtick to break out of your query or
> prematurely terminate an expression.  Some examples here, however they
> don't mention the backtick:
> http://us2.php.net/manual/en/security.database.sql-injection.php
>
> This might be more useful:
>
> ||||||function _antiSqlInjection($Target)
> {
>    if(is_array($Target)) {
>        $Value = array_map('_antiSqlInjection', $Target);
>    } else {
>         if(get_magic_quotes_gpc()) {
>             $Target = stripslashes($Target);
>        }
>         // replace backtick with single quote or whatever
>        $Target = str_replace("`", "'", $Target);
>        $Value = mysql_real_escape_string($Target);
>    }
>    return $Value;
> }
>
> Thanks!
> -Shawn
>
>
>
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux