What about declare, cast, unhex, exec etc.? You Replace everything with "" isn't so good, I believe. Others mentiond it before, that *, =, select, from ETC. are valid words and characters in an other context. Anayse some attacks before trying to defend them. Injections can be heavily db-dependent, so filtering the common words might not be so insightful. If you really want to go the filter approach, then check out this project and learn from them. ;) http://php-ids.org/ byebye 2009/5/6 Igor Escobar <titiolinkin@xxxxxxxxx>: > Yeah yeah, i understood that, but, the point is... i sad previously, my > function is not tied to any database. > > Is a generic function, i dont know who be use this, so i don't know, what is > your data base so, i can't use functions like mysql_real_scape_string etc... > > > Regards, > Igor Escobar > Systems Analyst & Interface Designer > > -- > > Personal Blog > ~ blog.igorescobar.com > Online Portifolio > ~ www.igorescobar.com > Twitter > ~ @igorescobar > > > > > > On Wed, May 6, 2009 at 3:00 PM, Bruno Fajardo <bsfajardo@xxxxxxxxx> wrote: > >> 2009/5/6 Igor Escobar <titiolinkin@xxxxxxxxx>: >> > hun...by the way.... I forgot to mention, I am Brazilian and here in >> Brazil >> > these words are not common ... >> >> Igor, >> >> I'm brazilian too, but that is not the point. Deny the use of *any* >> word as input in your app is unnecessary. The problem that you're >> trying to solve, has been solved a long time ago. >> >> Bruno. >> >> > >> > That is a recursive function and i can use array_map becouse i some cases >> we >> > obtain arrays of arrays and that will generate a error. >> > >> > >> > Regards, >> > Igor Escobar >> > Systems Analyst & Interface Designer >> > >> > -- >> > >> > Personal Blog >> > ~ blog.igorescobar.com >> > Online Portifolio >> > ~ www.igorescobar.com >> > Twitter >> > ~ @igorescobar >> > >> > >> > >> > >> > >> > On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie <nospam@xxxxxxxxxxxxx> >> wrote: >> > >> >> Igor Escobar wrote: >> >> > Hunnn... >> >> > >> >> > So, what do you think now? >> >> > >> >> > function _antiSqlInjection($Target){ >> >> > $sanitizeRules = >> >> > array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP >> >> > TABLE','SHOW TABLES','*','--','='); >> >> > foreach($Target as $key => $value): >> >> > if(is_array($value)): $arraSanitized[$key] = >> >> > _antiSqlInjection($value); >> >> > else: >> >> > $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? >> >> > addslashes(str_ireplace(trim($sanitizeRules,"",$value))) : >> >> > str_ireplace(trim($sanitizeRules,"",$value)); >> >> > endif; >> >> > endforeach; >> >> > return $arraSanitized; >> >> > } >> >> > >> >> Stay on list please. I don't like the ternary or the brace omissions >> >> (alternate syntax) :-) however.... >> >> >> >> My point was that in my opinion you don't need the replace at all. >> >> Also, do you really want to strip all 'or', * and = from all fields? >> >> These may be perfectly valid in your app. Or is a very, very common >> >> word, so is from and come to think of it, where, select, insert and >> delete. >> >> >> >> For any of the SQL injections to work in your query, there will need to >> >> be quotes or the backtick ` in the user supplied content. The quotes >> >> are escaped by mysql_real_escape_string(). >> >> >> >> I don't see any way for a SQL injection without the user input >> >> containing quotes or the backtick to break out of your query or >> >> prematurely terminate an expression. Some examples here, however they >> >> don't mention the backtick: >> >> http://us2.php.net/manual/en/security.database.sql-injection.php >> >> >> >> This might be more useful: >> >> >> >> ||||||function _antiSqlInjection($Target) >> >> { >> >> if(is_array($Target)) { >> >> $Value = array_map('_antiSqlInjection', $Target); >> >> } else { >> >> if(get_magic_quotes_gpc()) { >> >> $Target = stripslashes($Target); >> >> } >> >> // replace backtick with single quote or whatever >> >> $Target = str_replace("`", "'", $Target); >> >> $Value = mysql_real_escape_string($Target); >> >> } >> >> return $Value; >> >> } >> >> >> >> Thanks! >> >> -Shawn >> >> >> >> >> >> >> > >> > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
