I', am a newbie and trying to get a better understanding of securing mysql queries vs. injections. I found this code here below, which seems to work nicely and makes it possible to automatically "clean" all inputs coming thru $_GET, $_POST and $_COOKIE. But in some forums I was told it is still susceptible to numeric injection as mysql_real_escape_string function only checks for strings (as if a hacker was to use numbers, as opposed to single/double quotes which would get escaped). At any rate, in the second version below, I included "numeric" validation, but I'm not sure if I did it correctly... can anybody guide me on it, and how coudl I test it to make sure it is working... thank u all!

<?php

// ORIGINAL CODE

$_POST=sanitize($_POST);
$_GET=sanitize($_GET);
$_COOKIE=sanitize($_COOKIE);
$_REQUEST=sanitize($_REQUEST);

function sanitize($input){
if(is_array($input)){
foreach($input as $k=>$i){
$output[$k]=sanitize($i);
}
}
else{
if(get_magic_quotes_gpc()){
$input=stripslashes($input);
}
$output=mysql_real_escape_string($input);
}
return $output;
}


// HERE IS ORIGINAL WITH ADDED NUMERIC VALIDATION

$_POST=sanitize($_POST);
$_GET=sanitize($_GET);
$_COOKIE=sanitize($_COOKIE);
$_REQUEST=sanitize($_REQUEST);


function sanitize($input){
if(is_array($input)){
foreach($input as $k=>$i){
$output[$k]=sanitize($i);
}
}
else{
if(get_magic_quotes_gpc()){

if (is_numeric($input)) {
$input = "'" . stripslashes($input) . "'";
}
else
$input=stripslashes($input);
}
$output=mysql_real_escape_string($input);
}
return $output;
}


?>

Nobody's really going to gain anything by inserting numbers. The whole purpose of SQL injection is to modify the query. They probably meant if your input is supposed to be numeric(a user id, for instance) and an attacker used a string, unexpected results could occur. Using mysql_real_escape_string() and mysql_query() to run your queries should be fine. The major things you don't want are people being able to do this:

// Pretend user input
$password = "password' OR 1=1";

And this:

//More pretend user input
$password = "password'; DROP TABLE Users";

When your query looks like this:
$query = "SELECT * FROM Users WHERE name='$name' AND password='$password'";

The first one will select all users from the database, the second one will wipe the Users table.

Thanks Lsmj...

Well, seems from what I been reading, mysql_real_escape_string could be bypassed by exactly that, where a query expects a number. An example given is where in an sql statement integers are not surrounded by quotes, like:

SELECT * FROM articles WHERE article_id = 4;

So, one could change the url that calls for that query to be like this:

www.mydomain.com/article.php?articleid=4 OR 1=1

And that would become an injection, as no characters woudl be escaped by the mysql_real_escape_string function. So, from what I gather, ones has to check if it's numeric and appropriately handle it so it's no able to be injected...

Am I understanding this wrong??

Thanks again!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.