Eric Butera wrote: > On Thu, May 7, 2009 at 9:41 AM, Igor Escobar <titiolinkin@xxxxxxxxx> wrote: >> Ok guys, thanks. >> >> >> Regards, >> Igor Escobar >> Systems Analyst & Interface Designer >> >> -- >> >> Personal Blog >> ~ blog.igorescobar.com >> Online Portifolio >> ~ www.igorescobar.com >> Twitter >> ~ @igorescobar >> >> >> >> >> >> On Thu, May 7, 2009 at 7:32 AM, Jan G.B. <ro0ot.w00t@xxxxxxxxxxxxxx> wrote: >> >>> What about declare, cast, unhex, exec etc.? >>> You Replace everything with "" isn't so good, I believe. Others >>> mentiond it before, that *, =, select, from ETC. are valid words and >>> characters in an other context. >>> >>> Anayse some attacks before trying to defend them. Injections can be >>> heavily db-dependent, so filtering the common words might not be so >>> insightful. >>> >>> If you really want to go the filter approach, then check out this >>> project and learn from them. ;) >>> http://php-ids.org/ >>> >>> >>> byebye >>> >>> 2009/5/6 Igor Escobar <titiolinkin@xxxxxxxxx>: >>>> Yeah yeah, i understood that, but, the point is... i sad previously, my >>>> function is not tied to any database. >>>> >>>> Is a generic function, i dont know who be use this, so i don't know, what >>> is >>>> your data base so, i can't use functions like mysql_real_scape_string >>> etc... >>>> >>>> Regards, >>>> Igor Escobar >>>> Systems Analyst & Interface Designer >>>> >>>> -- >>>> >>>> Personal Blog >>>> ~ blog.igorescobar.com >>>> Online Portifolio >>>> ~ www.igorescobar.com >>>> Twitter >>>> ~ @igorescobar >>>> >>>> >>>> >>>> >>>> >>>> On Wed, May 6, 2009 at 3:00 PM, Bruno Fajardo <bsfajardo@xxxxxxxxx> >>> wrote: >>>>> 2009/5/6 Igor Escobar <titiolinkin@xxxxxxxxx>: >>>>>> hun...by the way.... I forgot to mention, I am Brazilian and here in >>>>> Brazil >>>>>> these words are not common ... >>>>> Igor, >>>>> >>>>> I'm brazilian too, but that is not the point. Deny the use of *any* >>>>> word as input in your app is unnecessary. The problem that you're >>>>> trying to solve, has been solved a long time ago. >>>>> >>>>> Bruno. >>>>> >>>>>> That is a recursive function and i can use array_map becouse i some >>> cases >>>>> we >>>>>> obtain arrays of arrays and that will generate a error. >>>>>> >>>>>> >>>>>> Regards, >>>>>> Igor Escobar >>>>>> Systems Analyst & Interface Designer >>>>>> >>>>>> -- >>>>>> >>>>>> Personal Blog >>>>>> ~ blog.igorescobar.com >>>>>> Online Portifolio >>>>>> ~ www.igorescobar.com >>>>>> Twitter >>>>>> ~ @igorescobar >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Wed, May 6, 2009 at 2:36 PM, Shawn McKenzie <nospam@xxxxxxxxxxxxx> >>>>> wrote: >>>>>>> Igor Escobar wrote: >>>>>>>> Hunnn... >>>>>>>> >>>>>>>> So, what do you think now? >>>>>>>> >>>>>>>> function _antiSqlInjection($Target){ >>>>>>>> $sanitizeRules = >>>>>>>> array('OR','FROM','SELECT','INSERT','DELETE','WHERE','DROP >>>>>>>> TABLE','SHOW TABLES','*','--','='); >>>>>>>> foreach($Target as $key => $value): >>>>>>>> if(is_array($value)): $arraSanitized[$key] = >>>>>>>> _antiSqlInjection($value); >>>>>>>> else: >>>>>>>> $arraSanitized[$key] = (!get_magic_quotes_gpc()) ? >>>>>>>> addslashes(str_ireplace(trim($sanitizeRules,"",$value))) : >>>>>>>> str_ireplace(trim($sanitizeRules,"",$value)); >>>>>>>> endif; >>>>>>>> endforeach; >>>>>>>> return $arraSanitized; >>>>>>>> } >>>>>>>> >>>>>>> Stay on list please. I don't like the ternary or the brace omissions >>>>>>> (alternate syntax) :-) however.... >>>>>>> >>>>>>> My point was that in my opinion you don't need the replace at all. >>>>>>> Also, do you really want to strip all 'or', * and = from all fields? >>>>>>> These may be perfectly valid in your app. Or is a very, very common >>>>>>> word, so is from and come to think of it, where, select, insert and >>>>> delete. >>>>>>> For any of the SQL injections to work in your query, there will need >>> to >>>>>>> be quotes or the backtick ` in the user supplied content. The quotes >>>>>>> are escaped by mysql_real_escape_string(). >>>>>>> >>>>>>> I don't see any way for a SQL injection without the user input >>>>>>> containing quotes or the backtick to break out of your query or >>>>>>> prematurely terminate an expression. Some examples here, however >>> they >>>>>>> don't mention the backtick: >>>>>>> http://us2.php.net/manual/en/security.database.sql-injection.php >>>>>>> >>>>>>> This might be more useful: >>>>>>> >>>>>>> ||||||function _antiSqlInjection($Target) >>>>>>> { >>>>>>> if(is_array($Target)) { >>>>>>> $Value = array_map('_antiSqlInjection', $Target); >>>>>>> } else { >>>>>>> if(get_magic_quotes_gpc()) { >>>>>>> $Target = stripslashes($Target); >>>>>>> } >>>>>>> // replace backtick with single quote or whatever >>>>>>> $Target = str_replace("`", "'", $Target); >>>>>>> $Value = mysql_real_escape_string($Target); >>>>>>> } >>>>>>> return $Value; >>>>>>> } >>>>>>> >>>>>>> Thanks! >>>>>>> -Shawn >>>>>>> >>>>>>> >>>>>>> > > Use prepared statements. All your problems go away. Look at mysqli/PDO. RTFP! ;-) He has no idea what DB will be used. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
