Haha.. what the hell? Ok, I know this is an older copy of the script I wrote because I know I took out the "All this does is escape the data" comment and I KNOW I saw the thing about mysql_escape_string() being deprecated... don't know why it's still in there. Hah
Thanks for pointing that out. Now off to find my newer version and make sure I chaned it there too.
-TG
= = = Original message = = =
nooooo !!!
mysql_real_escape_string()
anyhow.. good luck with your security endeavors!
On 8/25/05, tg-php@xxxxxxxxxxxxxxxxxxxxxx <tg-php@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> I'm pretty amateur at this too, but have done a little reading on the subject. Here's some nuggets to ponder while the real experts write their responses: :)
>
> 1. Magic quotes + mysql_escape_string = double escaped stuff. I think the general opinion is the magic quotes is evil, but I'm sure some people like it. I prefer to use mysql_escape_string() since it escapes things more specific to MySQL than magic quotes does. Using mysql_escape_string should be good enough by itself.
>
> 2. Check data type. If an item is supposed to be an integer, use intval() before inserting into the database.
>
> 3. What your SQL statements for variables that can turn your statement into a "WHERE 1 = 1" situation that will always return TRUE.
>
> Here's something I've been playing with.. a generic function to sanitize data before inserting into the database. You pass it the data and the type of data and it'll clean it up. Nice thing about this is I designed it so if you say type = "phone" and you process it the same as type = "numeric".. then later you decide you want to process "phone" and "numeric" types separately, you only have to check this function, not all your lines of code.
>
> If someone has better ways of doing this, I'm all for hearing it. Please opine or criticize what I've posted above too. I want to learn as well.
>
> -TG
>
> Code:
>
> <?php
> /**
> *~DBSanitizeData() prepares data for inserting/updating into or selecting from
> * MySQL by making sure that string data is properly escaped so as not to allow
> * 'SQL injection' type security issues from happening. No direct $_POST or $_GET
> * data should ever be used in a SQL string.
> *
> * Returns sanitized copy of data sent to it.
> *
> * Current sanitization only performs a mysql_escape_string() function but could do
> * more later.
> *
> * Example: $result = mysql_query('INSERT INTO TableName (SomeColumn) VALUES (' . DBSanitizeData($_POST['somevar']) . ')');
> *
> * <pre>
> * Modification Log:
> * --------------------------------------------------
> * Created: ~~Trevor Gryffyn - 03/28/2005
> *
> * </pre>
> *
> * @author Trevor Gryffyn <tgryffyn@xxxxxxxxxxx>
> * @category Database Functions
> *
> */
> function DBSanitizeData($dbdata, $datatype = "alpha")
> switch ($datatype)
> case "binary":
> case "truefalse":
> $trues = array("YES", "Y", "1", "ON", "TRUE", "T");
> $falses = array("NO", "N", "0", "OFF", "FALSE", "F");
> if (in_array(trim(strtoupper($dbdata)), $trues))
> $dbdata = "Y";
> else
> $dbdata = "N";
>
> break;
> case "phone":
> case "numeric":
> case "ssn":
> $dbdata = preg_replace ('/[^\d]+/s', '', $dbdata);
> break;
> case "float":
> case "money":
> case "percent":
> // TODO: Should this be handled with floatval() or something else?
> // Yes.. it probably should. Maybe this is better.
> if (strstr($dbdata, ".") AND trim($dbdata) <> "")
> #$dbdata = (preg_replace ('/[^\d]+/s', '', $dbdata) / 100) . ".00";
> $dbdata = floatval(preg_replace ('/[^\d]+/s', '', $dbdata) / 100);
> else
> #$dbdata = preg_replace ('/[^\d]+/s', '', $dbdata) . ".00";
> $dbdata = floatval(preg_replace ('/[^\d]+/s', '', $dbdata));
>
> break;
>
> case "name":
> case "address":
> $dbdata = ucwords($dbdata);
> break;
> case "state":
> $dbdata = strtoupper($dbdata);
> break;
> case "date":
> $dbdata = date("Y-m-d", strtotime($dbdata));
> if ($dbdata == "1969-12-31") $dbdata = "";
> break;
> case "alpha":
> default:
> // Nothing special, just jump down to the trim/escape
> break;
>
> return trim(mysql_escape_string($dbdata));
>
> ?>
>
> = = = Original message = = =
>
> Greetings all:
>
> Using PHP 4.3.xx and MySQL 4.1 (and 3.xxx sometimes).
>
> I've got a ton of forms that use the $_POST variable to send information into the database, and I'm worried about injection attacks.
>
> My server has magic_quotes enabled, which I thought would handle most things, but am wondering now if I need to use mysql_escape_string on everything, which would mean, of course, a lot of find-and-replace and rewriting.
>
> Also, REGISTER_GLOBALS is turned off, and errors are not shown to the user when the site is live.
>
> Any suggestions on how to tighten up the form security, or does magic_quotes help enough?
>
> For what it's worth, I've tried to enter things like "pw=''" and other simulated attackes using the $_GET method, but haven't been able to crack the site. But I'm a noob at that kind of thing, so I try not to get too carried away with myself.
>
> Thanks,
> V
>
>
> ___________________________________________________________
> Sent by ePrompter, the premier email notification software.
> Free download at http://www.ePrompter.com.
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
-------------------------------------------------------------------------------
Charles Morris
cmorris@xxxxxxxxxx
CS Systems Group Old Dominion University
http://www.cs.odu.edu/~cmorris
http://www.cs.odu.edu/cspage/systemstaff.html
------------------------------------------------------------------------------
"Caution! Under no circumstances confuse the mesh with the interleave
operator, except under confusing circumstances!" -- the INTERCAL manual
They that give up essential liberty to obtain
a little temporary safety deserve neither
liberty nor safety. -- Benjamin Franklin, 1759
The only secure computer is one that's unplugged, locked in a
safe, and buried 20 feet under the ground in a secret location...
and i'm not even too sure about that one"--Dennis Huges, FBI.
___________________________________________________________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
