Hi guys!(This is not any tut,I'm actually asking for help &/or to make myself correct! :D)
As we all know about the php malicious input filtering functions like mysql_real_escape_string, strip_slashes, strip_tags, htmlentities, etc.
Lets take mysql_real_escape_string
$input = "'OR 1=1'";
$safe_input = mysql_real_escape_string($input);
So it turns .......
\'OR 1=1\'
But the malformed query is actually being processed after filtering,which is a wastage of resource & opening door to say "Yeah,come show your hacking skills!".
So why not detect such malicious inputs from an user before starting the actual program flow?
Lets bring a very simple function in to play.
Mysqli & PDO are fine,But pls correct me in here,thanks in advance..
As we all know about the php malicious input filtering functions like mysql_real_escape_string, strip_slashes, strip_tags, htmlentities, etc.
Lets take mysql_real_escape_string
$input = "'OR 1=1'";
$safe_input = mysql_real_escape_string($input);
So it turns .......
\'OR 1=1\'
But the malformed query is actually being processed after filtering,which is a wastage of resource & opening door to say "Yeah,come show your hacking skills!".
So why not detect such malicious inputs from an user before starting the actual program flow?
Lets bring a very simple function in to play.
PHP Code:
function kickass($str)
{
$str = str_ireplace("<script>","", $str, $i);
$str = str_ireplace("</script>","", $str, $j);
$str = str_ireplace("'", "", $str, $k);
$str = str_ireplace('"', '', $str, $l);
$str = str_irelace(";", "", $str, $m);
////////////Add more in the list or lets make a easy function wid preg_match
return $i+$j+$k+$l+$m;
}
PHP Code:
if(kickass($_POST['username'] + kickass($_POST['password']) > 0)
{
/*inputs are unsafe,
Give a warning message or just redirect him back to the login page
*/
}
else
{
//Start the actual program flow wid safe inputs
////mysql_connect,mysql query etc
}
This step should not be avoided in any case:
Comment