0

Hi,

This is an interesting question (in my humble opinion).

I am trying to create a forum in PHP. So there is a "Post a new Thread" link, clicking on which would open a textarea field for posting a message and a textbox for the "title".

Now, I dont want ppl to sql inject queries through the textarea or the textbox field.

So I have created this function for the same.

function dbsafe($data){
$data = str_replace('select','',$data);
$data = str_replace('alter','',$data);
$data = str_replace('delete','',$data);
$data = str_replace('replace','',$data);
return $data;
}

Now, though the above function would secure my db upto some extent but the only limitation I can see is my members/visitors will not be able to use the words "select","alter","delete","replace" in their threads even though they want use them (not for sql injection purpose).


So, I had to change my dbsafe function to the following:

function dbsafe($data){
$data = str_replace('tbl_members','',$data);
$data = str_replace('tbl_login','',$data);
$data = str_replace('tbl_details','',$data);
$data = str_replace('tbl_orders','',$data);
return $data;
}

ok, so now my function would now replace my database tables if the attacker intends to destroy or misuse them using any sql statements.

Now my question is that:

1) Which one of the above 2 functions is better you think?
2) Also, in my second function, is there a way the attacker would hamper my database without using my table names?


Please guide and help.

Need your opinion


Thanx so much in advance

4
Contributors
9
Replies
10
Views
9 Years
Discussion Span
Last Post by ryan_vietnow
0

why not try to use mysql_real_escape_string function?

here I have made one:

function antiinject($var)
{
	if (get_magic_quotes_gpc())
		{
			$var1=stripslashes($var);
		}
	else
		{
			$var1=$var;
		}
	return mysql_real_escape_string($var1);
}

Hope this helps.

0

About your 2 functions,I think the 2nd function is better,but the attacker can destroy not just your tables but the whole database itself:

drop database [database name];

stripslashes Un-quotes a quoted string that is used in SQl statements therefore escaping all quotes making the injection useless.

the function checks if get_magic_quotes_gpc is on to prevent double escaping of quotes.

0

Thanx ryan for the detailed explanation. Appreciate it.

So you think both the functions "get_magic_quotes_gpc" and "mysql_real_escape_string" are being used in all professional forums to prevent injections?

0

The way to look at injection protection is not to "take the bad things out" but to "only let the good things in". There is, funnily enough, a big difference.

Properly quoting the input text to make it impotent is a reasonable strategy in this case, since you're accepting a wide range of legal input characters; but for a web forum also consider sanitising HTML markup in any uploaded data: since you don't want anonymous people posting working Javscript onto your hosted pages. It's not a risk to your server, or even user's machines -- but it can be used to steal online identities.

As for the professional forum software, most are open source so you could have a look at how they do it. It's a good bet they use either the builtin PHP string escape methods as ryan suggested; or regular expression based sanitisers; or state-based parsers as sanitisers.

Sanitising using stringwide-replace operations as you suggested in the original two examples is not even marginally safe. Consider this input ( to your first sanitiser ): del[b]delete[/b]ete * from * Your code will replace the highlighted instance of delete, creating a new delete as it does so, which will be subsequently un-noticed ( since that's how replace works ). Yay!

0

why not try to use mysql_real_escape_string function?

here I have made one:

function antiinject($var)
{
	if (get_magic_quotes_gpc())
		{
			$var1=stripslashes($var);
		}
	else
		{
			$var1=$var;
		}
	return mysql_real_escape_string($var1);
}

Hope this helps.

Will this function prevent my users to insert php tags into the db?

Like <?php phpingo();?> etc?

0

mysql_real_escape_string is used for SQL statements only.

Here,I have made a function to delete these tags.

function deletephptags($var)
{
//$b get the text after the <?php tag..
list($a,$b)=explode("<?php",$var);
//$c get the text after <?php and before  the ending tag..
list($c,$d)=explode("?>",$b);
//deletes the php tags and functions inside them..
$data=str_replace($c,'',$var);
//return the new string....
return $data;
}

Enjoy!

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.