Yeah yeah, i understood that, but, the point is... i sad previously, my
function is not tied to any database.
Is a generic function, i dont know who be use this, so i don't know, what is
your data base so, i can't use functions like mysql_real_scape_string etc...
Regards,
Igor Escobar
Systems Analyst & Interface Designer
--
Personal Blog
~ blog.igorescobar.com
Online Portifolio
~ www.igorescobar.com
Twitter
~ @igorescobar
On Wed, May 6, 2009 at 3:00 PM, Bruno Fajardo <bsfajardo@xxxxxxxxx> wrote:
> 2009/5/6 Igor Escobar <titiolinkin@xxxxxxxxx>:
> > hun...by the way.... I forgot to mention, I am Brazilian and here in
> Brazil
> > these words are not common ...
>
> Igor,
>
> I'm brazilian too, but that is not the point. Deny the use of *any*
> word as input in your app is unnecessary. The problem that you're
> trying to solve, has been solved a long time ago.
>
> Bruno.
>
> >
> > That is a recursive function and i can use array_map becouse i some cases
> we
> > obtain arrays of arrays and that will generate a error.
> >
> >
> > Regards,
> > Igor Escobar
> > Systems Analyst & Interface Designer
> >
> > --
> >
> > Personal Blog
> > ~ blog.igorescobar.com
> > Online Portifolio
> > ~ www.igorescobar.com
> > Twitter
> > ~ @igorescobar
> >
> >
> >
> >
> >
> > On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie <nospam@xxxxxxxxxxxxx>
> wrote:
> >
> >> Igor Escobar wrote:
> >> > Hunnn...
> >> >
> >> > So, what do you think now?
> >> >
> >> > function _antiSqlInjection($Target){
> >> > $sanitizeRules =
> >> > array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP
> >> > TABLE','SHOW TABLES','*','--','=');
> >> > foreach($Target as $key => $value):
> >> > if(is_array($value)): $arraSanitized[$key] =
> >> > _antiSqlInjection($value);
> >> > else:
> >> > $arraSanitized[$key] = (!get_magic_quotes_gpc()) ?
> >> > addslashes(str_ireplace(trim($sanitizeRules,"",$value))) :
> >> > str_ireplace(trim($sanitizeRules,"",$value));
> >> > endif;
> >> > endforeach;
> >> > return $arraSanitized;
> >> > }
> >> >
> >> Stay on list please. I don't like the ternary or the brace omissions
> >> (alternate syntax) :-) however....
> >>
> >> My point was that in my opinion you don't need the replace at all.
> >> Also, do you really want to strip all 'or', * and = from all fields?
> >> These may be perfectly valid in your app. Or is a very, very common
> >> word, so is from and come to think of it, where, select, insert and
> delete.
> >>
> >> For any of the SQL injections to work in your query, there will need to
> >> be quotes or the backtick ` in the user supplied content. The quotes
> >> are escaped by mysql_real_escape_string().
> >>
> >> I don't see any way for a SQL injection without the user input
> >> containing quotes or the backtick to break out of your query or
> >> prematurely terminate an expression. Some examples here, however they
> >> don't mention the backtick:
> >> http://us2.php.net/manual/en/security.database.sql-injection.php
> >>
> >> This might be more useful:
> >>
> >> ||||||function _antiSqlInjection($Target)
> >> {
> >> if(is_array($Target)) {
> >> $Value = array_map('_antiSqlInjection', $Target);
> >> } else {
> >> if(get_magic_quotes_gpc()) {
> >> $Target = stripslashes($Target);
> >> }
> >> // replace backtick with single quote or whatever
> >> $Target = str_replace("`", "'", $Target);
> >> $Value = mysql_real_escape_string($Target);
> >> }
> >> return $Value;
> >> }
> >>
> >> Thanks!
> >> -Shawn
> >>
> >>
> >>
> >
>
