On Thu, May 7, 2009 at 9:41 AM, Igor Escobar <titiolinkin@xxxxxxxxx> wrote: > Ok guys, thanks. > > > Regards, > Igor Escobar > Systems Analyst & Interface Designer > > -- > > Personal Blog > ~ blog.igorescobar.com > Online Portifolio > ~ www.igorescobar.com > Twitter > ~ @igorescobar > > > > > > On Thu, May 7, 2009 at 7:32 AM, Jan G.B. <ro0ot.w00t@xxxxxxxxxxxxxx> wrote: > >> What about declare, cast, unhex, exec etc.? >> You Replace everything with "" isn't so good, I believe. Others >> mentiond it before, that *, =, select, from ETC. are valid words and >> characters in an other context. >> >> Anayse some attacks before trying to defend them. Injections can be >> heavily db-dependent, so filtering the common words might not be so >> insightful. >> >> If you really want to go the filter approach, then check out this >> project and learn from them. ;) >> http://php-ids.org/ >> >> >> byebye >> >> 2009/5/6 Igor Escobar <titiolinkin@xxxxxxxxx>: >> > Yeah yeah, i understood that, but, the point is... i sad previously, my >> > function is not tied to any database. >> > >> > Is a generic function, i dont know who be use this, so i don't know, what >> is >> > your data base so, i can't use functions like mysql_real_scape_string >> etc... >> > >> > >> > Regards, >> > Igor Escobar >> > Systems Analyst & Interface Designer >> > >> > -- >> > >> > Personal Blog >> > ~ blog.igorescobar.com >> > Online Portifolio >> > ~ www.igorescobar.com >> > Twitter >> > ~ @igorescobar >> > >> > >> > >> > >> > >> > On Wed, May 6, 2009 at 3:00 PM, Bruno Fajardo <bsfajardo@xxxxxxxxx> >> wrote: >> > >> >> 2009/5/6 Igor Escobar <titiolinkin@xxxxxxxxx>: >> >> > hun...by the way.... I forgot to mention, I am Brazilian and here in >> >> Brazil >> >> > these words are not common ... >> >> >> >> Igor, >> >> >> >> I'm brazilian too, but that is not the point. Deny the use of *any* >> >> word as input in your app is unnecessary. The problem that you're >> >> trying to solve, has been solved a long time ago. >> >> >> >> Bruno. >> >> >> >> > >> >> > That is a recursive function and i can use array_map becouse i some >> cases >> >> we >> >> > obtain arrays of arrays and that will generate a error. >> >> > >> >> > >> >> > Regards, >> >> > Igor Escobar >> >> > Systems Analyst & Interface Designer >> >> > >> >> > -- >> >> > >> >> > Personal Blog >> >> > ~ blog.igorescobar.com >> >> > Online Portifolio >> >> > ~ www.igorescobar.com >> >> > Twitter >> >> > ~ @igorescobar >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie <nospam@xxxxxxxxxxxxx> >> >> wrote: >> >> > >> >> >> Igor Escobar wrote: >> >> >> > Hunnn... >> >> >> > >> >> >> > So, what do you think now? >> >> >> > >> >> >> > function _antiSqlInjection($Target){ >> >> >> > $sanitizeRules = >> >> >> > array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP >> >> >> > TABLE','SHOW TABLES','*','--','='); >> >> >> > foreach($Target as $key => $value): >> >> >> > if(is_array($value)): $arraSanitized[$key] = >> >> >> > _antiSqlInjection($value); >> >> >> > else: >> >> >> > $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? >> >> >> > addslashes(str_ireplace(trim($sanitizeRules,"",$value))) : >> >> >> > str_ireplace(trim($sanitizeRules,"",$value)); >> >> >> > endif; >> >> >> > endforeach; >> >> >> > return $arraSanitized; >> >> >> > } >> >> >> > >> >> >> Stay on list please. I don't like the ternary or the brace omissions >> >> >> (alternate syntax) :-) however.... >> >> >> >> >> >> My point was that in my opinion you don't need the replace at all. >> >> >> Also, do you really want to strip all 'or', * and = from all fields? >> >> >> These may be perfectly valid in your app. Or is a very, very common >> >> >> word, so is from and come to think of it, where, select, insert and >> >> delete. >> >> >> >> >> >> For any of the SQL injections to work in your query, there will need >> to >> >> >> be quotes or the backtick ` in the user supplied content. The quotes >> >> >> are escaped by mysql_real_escape_string(). >> >> >> >> >> >> I don't see any way for a SQL injection without the user input >> >> >> containing quotes or the backtick to break out of your query or >> >> >> prematurely terminate an expression. Some examples here, however >> they >> >> >> don't mention the backtick: >> >> >> http://us2.php.net/manual/en/security.database.sql-injection.php >> >> >> >> >> >> This might be more useful: >> >> >> >> >> >> ||||||function _antiSqlInjection($Target) >> >> >> { >> >> >> if(is_array($Target)) { >> >> >> $Value = array_map('_antiSqlInjection', $Target); >> >> >> } else { >> >> >> if(get_magic_quotes_gpc()) { >> >> >> $Target = stripslashes($Target); >> >> >> } >> >> >> // replace backtick with single quote or whatever >> >> >> $Target = str_replace("`", "'", $Target); >> >> >> $Value = mysql_real_escape_string($Target); >> >> >> } >> >> >> return $Value; >> >> >> } >> >> >> >> >> >> Thanks! >> >> >> -Shawn >> >> >> >> >> >> >> >> >> >> >> > >> >> >> > >> > Use prepared statements. All your problems go away. Look at mysqli/PDO. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
