943,670 Members | Top Members by Rank

Web Development > PHP > Data Safe - SQL Injection
Ad:
  • PHP Discussion Thread
  • Unsolved
  • Views: 4084
  • PHP RSS
Permalink
Feb 27th, 2008
0

Data Safe - SQL Injection

Expand Post »
Hi,

This is an interesting question (in my humble opinion).

I am trying to create a forum in PHP. So there is a "Post a new Thread" link, clicking on which would open a textarea field for posting a message and a textbox for the "title".

Now, I dont want ppl to sql inject queries through the textarea or the textbox field.

So I have created this function for the same.


PHP Syntax (Toggle Plain Text)
  1. function dbsafe($data){
  2. $data = str_replace('select','',$data);
  3. $data = str_replace('alter','',$data);
  4. $data = str_replace('delete','',$data);
  5. $data = str_replace('replace','',$data);
  6. return $data;
  7. }


Now, though the above function would secure my db upto some extent but the only limitation I can see is my members/visitors will not be able to use the words "select","alter","delete","replace" in their threads even though they want use them (not for sql injection purpose).


So, I had to change my dbsafe function to the following:

PHP Syntax (Toggle Plain Text)
  1. function dbsafe($data){
  2. $data = str_replace('tbl_members','',$data);
  3. $data = str_replace('tbl_login','',$data);
  4. $data = str_replace('tbl_details','',$data);
  5. $data = str_replace('tbl_orders','',$data);
  6. return $data;
  7. }

ok, so now my function would now replace my database tables if the attacker intends to destroy or misuse them using any sql statements.

Now my question is that:

1) Which one of the above 2 functions is better you think?
2) Also, in my second function, is there a way the attacker would hamper my database without using my table names?


Please guide and help.

Need your opinion


Thanx so much in advance
Similar Threads
Reputation Points: 58
Solved Threads: 1
Posting Whiz in Training
cancer10 is offline Offline
234 posts
since Dec 2004
Permalink
Feb 27th, 2008
0

Re: Data Safe - SQL Injection

why not try to use mysql_real_escape_string function?

here I have made one:

php Syntax (Toggle Plain Text)
  1. function antiinject($var)
  2. {
  3. 	if (get_magic_quotes_gpc())
  4. 		{
  5. 			$var1=stripslashes($var);
  6. 		}
  7. 	else
  8. 		{
  9. 			$var1=$var;
  10. 		}
  11. 	return mysql_real_escape_string($var1);
  12. }

Hope this helps.
Reputation Points: 28
Solved Threads: 71
Posting Pro
ryan_vietnow is offline Offline
578 posts
since Aug 2007
Permalink
Feb 27th, 2008
0

Re: Data Safe - SQL Injection

what does your function do?

Plz explain
Last edited by cancer10; Feb 27th, 2008 at 1:45 am.
Reputation Points: 58
Solved Threads: 1
Posting Whiz in Training
cancer10 is offline Offline
234 posts
since Dec 2004
Permalink
Feb 27th, 2008
0

Re: Data Safe - SQL Injection

See this , Example 2.
Moderator
Featured Poster
Reputation Points: 524
Solved Threads: 356
Purple hazed!
nav33n is offline Offline
3,878 posts
since Nov 2007
Permalink
Feb 27th, 2008
0

Re: Data Safe - SQL Injection

About your 2 functions,I think the 2nd function is better,but the attacker can destroy not just your tables but the whole database itself:
php Syntax (Toggle Plain Text)
  1. drop database [database name];

stripslashes Un-quotes a quoted string that is used in SQl statements therefore escaping all quotes making the injection useless.

the function checks if get_magic_quotes_gpc is on to prevent double escaping of quotes.
Reputation Points: 28
Solved Threads: 71
Posting Pro
ryan_vietnow is offline Offline
578 posts
since Aug 2007
Permalink
Feb 27th, 2008
0

Re: Data Safe - SQL Injection

Thanx ryan for the detailed explanation. Appreciate it.

So you think both the functions "get_magic_quotes_gpc" and "mysql_real_escape_string" are being used in all professional forums to prevent injections?
Reputation Points: 58
Solved Threads: 1
Posting Whiz in Training
cancer10 is offline Offline
234 posts
since Dec 2004
Permalink
Feb 27th, 2008
0

Re: Data Safe - SQL Injection

there are may ways to prevent SQL injection attacks friend.

try to check this link.very helpful to me and I will think will be helpful to you also.

http://www.jonlee.ca/how-to-prevent-...ction-attacks/
Reputation Points: 28
Solved Threads: 71
Posting Pro
ryan_vietnow is offline Offline
578 posts
since Aug 2007
Permalink
Feb 27th, 2008
0

Re: Data Safe - SQL Injection

The way to look at injection protection is not to "take the bad things out" but to "only let the good things in". There is, funnily enough, a big difference.

Properly quoting the input text to make it impotent is a reasonable strategy in this case, since you're accepting a wide range of legal input characters; but for a web forum also consider sanitising HTML markup in any uploaded data: since you don't want anonymous people posting working Javscript onto your hosted pages. It's not a risk to your server, or even user's machines -- but it can be used to steal online identities.

As for the professional forum software, most are open source so you could have a look at how they do it. It's a good bet they use either the builtin PHP string escape methods as ryan suggested; or regular expression based sanitisers; or state-based parsers as sanitisers.

Sanitising using stringwide-replace operations as you suggested in the original two examples is not even marginally safe. Consider this input ( to your first sanitiser ):

deldeleteete * from *
Your code will replace the highlighted instance of delete, creating a new delete as it does so, which will be subsequently un-noticed ( since that's how replace works ). Yay!
Last edited by MattEvans; Feb 27th, 2008 at 3:09 am.
Moderator
Featured Poster
Reputation Points: 522
Solved Threads: 64
Veteran Poster
MattEvans is offline Offline
1,091 posts
since Jul 2006
Permalink
Mar 2nd, 2008
0

Re: Data Safe - SQL Injection

Click to Expand / Collapse  Quote originally posted by ryan_vietnow ...
why not try to use mysql_real_escape_string function?

here I have made one:

php Syntax (Toggle Plain Text)
  1. function antiinject($var)
  2. {
  3. 	if (get_magic_quotes_gpc())
  4. 		{
  5. 			$var1=stripslashes($var);
  6. 		}
  7. 	else
  8. 		{
  9. 			$var1=$var;
  10. 		}
  11. 	return mysql_real_escape_string($var1);
  12. }

Hope this helps.
Will this function prevent my users to insert php tags into the db?

Like <?php phpingo();?> etc?
Reputation Points: 58
Solved Threads: 1
Posting Whiz in Training
cancer10 is offline Offline
234 posts
since Dec 2004
Permalink
Mar 3rd, 2008
0

Re: Data Safe - SQL Injection

mysql_real_escape_string is used for SQL statements only.

Here,I have made a function to delete these tags.

php Syntax (Toggle Plain Text)
  1. function deletephptags($var)
  2. {
  3. //$b get the text after the <?php tag..
  4. list($a,$b)=explode("<?php",$var);
  5. //$c get the text after <?php and before  the ending tag..
  6. list($c,$d)=explode("?>",$b);
  7. //deletes the php tags and functions inside them..
  8. $data=str_replace($c,'',$var);
  9. //return the new string....
  10. return $data;
  11. }

Enjoy!
Last edited by ryan_vietnow; Mar 3rd, 2008 at 2:44 am.
Reputation Points: 28
Solved Threads: 71
Posting Pro
ryan_vietnow is offline Offline
578 posts
since Aug 2007

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in PHP Forum Timeline: is it possible to disable a button through php script?
Next Thread in PHP Forum Timeline: i am stuck in a prob...





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC