mGiGS - SQL Injection advice

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    mGiGS - SQL Injection advice

    Now i'm not here to give you an ultimate global function to stop mysql injection like i been seeing all around this site. No. Im here to give you a hook, not a fish. Rule of thumb, when writing PHP applications, NEVER assume that you can write a function better than php's native functions, e.g i see people make anti mysql injection functions that implements htmlspecialchars and addslashes etc. The mysql_real_escape_string function is the standard way to prevent sql so drop all that 'i can code a function' crap its lame. Reasons why u cant create a beta function? PHP is a community driven software, and thereby u can bet ur buttom, the functions r tested ova n ova n ova n ova again, in different OS, server api's, conditions, encodings etc. Now im not sayin the mres (mysql_real_escape_string) function is fail safe. But its ur best bet, belee dat.

    #2
    Unless your using it before your database connection then its got to be addslashes :P (quick fixes)

    Comment


      #3
      Now usually if ur sum1 like me, u wnt prolly settle for just mres because just like other functions, theres always issues when it boils down to character encoded attacks. Now a chain is only as strong as its weakest link. To really safeguard against sql injections, u must learn these rules.
      1. Every string of data YOU DID NOT CREATE is a potential danger.
      2. Every body can attempt to inject u, this is the internet ffs.
      3. Never try to bend rules for ur users. A '30' character username slot must be limited to 30 chars client-side (use forms maxlength attribute) also 30 chars server-side (using strlen + trim, and throwing errors when exceeded) and finally 30 chars max in DB.
      4. When creating tables, make sure use the right column type. Use INT for numbers and booleans, VARCHAR for strings, BLOB for images etc.
      5. Type cast your damn variables. Example:
      PHP Code:
      // Less secure
      $who $_GET['id'];
      $db "SELECT *...WHERE id='$who'";

      // Even better
      function __($str$htmlenc FALSE){
      // Sanitize the string
      // Its recommended you get a gud library
      // for this e.g htmlpurifier
      $str = ($htmlenc) ? htmlspecialchars($str,ENT_QUOTES) : $str;
      return 
      mysql_real_escape_string($str);
      }

      $who = (int) __($_GET['id']); 
      Now u probably wondering what (int) does, well thats short for integer. Php sees that and makes sure only a valid integer cums out ov that, if u pass '?id=a' as the GET value, in the first code, it really searches d database to match an id 'a', but in the second, since 'a' isnt a freaking integer, it replaces 'a' to 0. I dnt knw bout u bt its pretty hard writing injection code thats just numbers.

      Added after 21 minutes:

      Using str_replace to remove select, update, delete is plain hilarious, i mean, is you serious o.O
      For pete sake, to PHP, select = sel/**/ect so tell me, what good is that? When u str_replace, theres a million ways to beat it so dont bother blacklisting lol.
      PHP Code:
      /**
      * Sanitizes a string to avoid mysql injection
      *
      * @param string|array value(s) to sanitize
      * @param boolean use htmlspecialchars or not
      * @return string sanitized value
      */
      function __($str null$htmlenc false)
      {
       
      // Empty string?
       
      if(empty($str))return null;

       
      // Normal string?
       
      if( ! is_array($str)){
        
      $str = (string) ($htmlenc) ? htmlspecialchars($strENT_QUOTES) : $str;
        return 
      mysql_real_escape_string($str);
       }

       
      // Array of values yay!
       
      else{
        
      $str = (array) ($htmlenc) ? array_map('htmlspecialchars'$str) : $str;
        return 
      array_map('mysql_real_escape_string'$str);
       }

      Added after 4 minutes:

      You can add mur functions to dat function. Usage example:
      PHP Code:
      $_POST __($_POSTtrue);
      // Returns an array

      $who __($_GET['id']);
      // Returns string 
      Last edited by CreativityKills; 21.08.10, 22:45.

      Comment

      Working...
      X