Ok guys, thanks. Regards, Igor Escobar Systems Analyst & Interface Designer -- Personal Blog ~ blog.igorescobar.com Online Portifolio ~ www.igorescobar.com Twitter ~ @igorescobar On Thu, May 7, 2009 at 7:32 AM, Jan G.B. <ro0ot.w00t@xxxxxxxxxxxxxx> wrote: > What about declare, cast, unhex, exec etc.? > You Replace everything with "" isn't so good, I believe. Others > mentiond it before, that *, =, select, from ETC. are valid words and > characters in an other context. > > Anayse some attacks before trying to defend them. Injections can be > heavily db-dependent, so filtering the common words might not be so > insightful. > > If you really want to go the filter approach, then check out this > project and learn from them. ;) > http://php-ids.org/ > > > byebye > > 2009/5/6 Igor Escobar <titiolinkin@xxxxxxxxx>: > > Yeah yeah, i understood that, but, the point is... i sad previously, my > > function is not tied to any database. > > > > Is a generic function, i dont know who be use this, so i don't know, what > is > > your data base so, i can't use functions like mysql_real_scape_string > etc... > > > > > > Regards, > > Igor Escobar > > Systems Analyst & Interface Designer > > > > -- > > > > Personal Blog > > ~ blog.igorescobar.com > > Online Portifolio > > ~ www.igorescobar.com > > Twitter > > ~ @igorescobar > > > > > > > > > > > > On Wed, May 6, 2009 at 3:00 PM, Bruno Fajardo <bsfajardo@xxxxxxxxx> > wrote: > > > >> 2009/5/6 Igor Escobar <titiolinkin@xxxxxxxxx>: > >> > hun...by the way.... I forgot to mention, I am Brazilian and here in > >> Brazil > >> > these words are not common ... > >> > >> Igor, > >> > >> I'm brazilian too, but that is not the point. Deny the use of *any* > >> word as input in your app is unnecessary. The problem that you're > >> trying to solve, has been solved a long time ago. > >> > >> Bruno. > >> > >> > > >> > That is a recursive function and i can use array_map becouse i some > cases > >> we > >> > obtain arrays of arrays and that will generate a error. > >> > > >> > > >> > Regards, > >> > Igor Escobar > >> > Systems Analyst & Interface Designer > >> > > >> > -- > >> > > >> > Personal Blog > >> > ~ blog.igorescobar.com > >> > Online Portifolio > >> > ~ www.igorescobar.com > >> > Twitter > >> > ~ @igorescobar > >> > > >> > > >> > > >> > > >> > > >> > On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie <nospam@xxxxxxxxxxxxx> > >> wrote: > >> > > >> >> Igor Escobar wrote: > >> >> > Hunnn... > >> >> > > >> >> > So, what do you think now? > >> >> > > >> >> > function _antiSqlInjection($Target){ > >> >> > $sanitizeRules = > >> >> > array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP > >> >> > TABLE','SHOW TABLES','*','--','='); > >> >> > foreach($Target as $key => $value): > >> >> > if(is_array($value)): $arraSanitized[$key] = > >> >> > _antiSqlInjection($value); > >> >> > else: > >> >> > $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? > >> >> > addslashes(str_ireplace(trim($sanitizeRules,"",$value))) : > >> >> > str_ireplace(trim($sanitizeRules,"",$value)); > >> >> > endif; > >> >> > endforeach; > >> >> > return $arraSanitized; > >> >> > } > >> >> > > >> >> Stay on list please. I don't like the ternary or the brace omissions > >> >> (alternate syntax) :-) however.... > >> >> > >> >> My point was that in my opinion you don't need the replace at all. > >> >> Also, do you really want to strip all 'or', * and = from all fields? > >> >> These may be perfectly valid in your app. Or is a very, very common > >> >> word, so is from and come to think of it, where, select, insert and > >> delete. > >> >> > >> >> For any of the SQL injections to work in your query, there will need > to > >> >> be quotes or the backtick ` in the user supplied content. The quotes > >> >> are escaped by mysql_real_escape_string(). > >> >> > >> >> I don't see any way for a SQL injection without the user input > >> >> containing quotes or the backtick to break out of your query or > >> >> prematurely terminate an expression. Some examples here, however > they > >> >> don't mention the backtick: > >> >> http://us2.php.net/manual/en/security.database.sql-injection.php > >> >> > >> >> This might be more useful: > >> >> > >> >> ||||||function _antiSqlInjection($Target) > >> >> { > >> >> if(is_array($Target)) { > >> >> $Value = array_map('_antiSqlInjection', $Target); > >> >> } else { > >> >> if(get_magic_quotes_gpc()) { > >> >> $Target = stripslashes($Target); > >> >> } > >> >> // replace backtick with single quote or whatever > >> >> $Target = str_replace("`", "'", $Target); > >> >> $Value = mysql_real_escape_string($Target); > >> >> } > >> >> return $Value; > >> >> } > >> >> > >> >> Thanks! > >> >> -Shawn > >> >> > >> >> > >> >> > >> > > >> > > >
