I'm on the school server. So before I start I need to say I don't have a choice. I'm tired of reading post with nothing more than "Tell your administator to upgrade". I know. Stop. If I see it its getting flagged as spam.

I don't really understand what about PHP makes it so vulnerable to an injection attack. I'm supposed to use dreamweaver for development and they create this function for mysql:

if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_e$

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

and then there is "mysql_real_escape string()".

Wouldn't I just be better off with a strict policy with alphanumeric letters only for input, and check against preg_match("/[A-Za-z0-9]{8,20}/",$input,$match); if(implode($match)!=$input) { exit_error();} ?
(you know since I'm intrigued by regex)

ok so I can't have AWESOME usernames like xX_Ki11er_Qu33n_Xx ~-imma teen grrrl!-~ or some nonsense.

Shouldn't that be good enough?

its not possible to enter an injection attack if I do a check like that right? Does preg_match read special or unreadable character?

Recommended Answers

All 7 Replies

Member Avatar for diafol

I'm tired of reading post with nothing more than "Tell your administator to upgrade". I know. Stop. If I see it its getting flagged as spam.

We all sympathise, but (please don't mark this as spam) - PHP4 is not a version that most contributors will be familiar with. V5 has been out since 13 July 2004. That's eight whole years. Unless you have an 'elder statesman' visiting this site and he can remember his salad days with all manner of fancy workarounds, you'll probably be able to glean as much info from performing your own Google search.

The manual states:

Support for PHP 4 has been discontinued since 2007-12-31. Please consider upgrading to PHP 5.

OK, and this from somebody who's never used v4:

mysql_real_escape_string exists since 4.3.0. If your server has >= 4.3.0, you may be OK. Unfortunately, as you've gleaned from your code, php used to have magic quotes enabled - thankfully this has now been kicked in the goolies. Anyway:

To get rid of automatically added slashes via the magic quotes (if 'on'), use stripslashes and then use mysql_real_escape_string if possible.

addslashes is an option if mysql_real_escape_string is not available.

I can't remember if there are any holes in this - haven't used it in about 6 years or more!

BTW - with regard to using school server - did you look into using 'php on a stick'? I believe that you can run XAMPP from a memory stick. That way you could possibly circumvent the version issue.

Wouldn't I just be better off with a strict policy with alphanumeric letters only for input, and check against preg_match("/[A-Za-z0-9]{8,20}/",$input,$match); if(implode($match)!=$input) { exit_error();} ?

Spot on. Do strict checks.

@diafol, so now I'm an elder statesman?

Member Avatar for diafol

so now I'm an elder statesman?

Nah, I'll just call you dad. :)

With you on the strict checking wherever possible. Some fields may be difficult e.g. free text where perhaps the user will want to use '' or "". Of course you could disallow [^...] these (or even strip them).

Member Avatar for diafol

You could always base encode those.

hadn't thought of that. Oh Gawd. It's horrible isn't it? The admin should be shot. Not literally! It's the equivalent of making everybody in the school use IE5 :(

The admin should be shot. Not literally!

I am not so sure, the admin could be applying heuristic methods of education. Forcing the the students to learn how the code works in order to find solutions as opposed to them just doing a cut & paste job from a current tutorial.

Member Avatar for diafol

you think? giving kids outdated software is a disadvantage imo. of course it helps understand old coding workarounds, but I'm not sure that it inspires. if a host advertised php4 instead of php5, you wouldn't go near them. reminds me of layout tables - no need for this new fangled css nonsense

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.