Security Basics mailing list archives
Re: PHP filter function against SQL injections
From: jeffrey rivero <jeffr76 () yahoo com>
Date: Wed, 07 Feb 2007 15:15:00 -0500
also a union could be an issue depending on the location of the union ie. $myval = pastvar['post'] $sql = 'select a, b, c'; $sql .= 'From table_1'; $sql .= 'where a = ' . filter($myval); now if i entered this in the post_var $myval = "1 union all select a,b,c from table_1"; what would happend :) our results would not be ideal :) hope this helped ps. you might also want to look at the xml i sentthis is the SQL injection project i created a while ago its by no means 100% but should get you to about 70% ish
so the work now formula D(WS)*[RW](WS)*D Where : D : deliminator WS : White Space RW : Reserve Word RW can be in two types Literal : Standard string like "SELECT" or "SELECT TOP"parameterized : Strings that allow subistition like "xp_*" which would
find any string that starts with a "xp_"Note : the * can be anyware in the Parameterized String
Like "SELECT*FROM" and i load it with an XML file something like <KeyWords> <KeyWord Type="parameterized">SELECT*FROM</KeyWord> <KeyWord Type="Literal">UNION</KeyWord> <KeyWord Type="Literal">INSERT INTO</KeyWord> <KeyWord Type="Literal">DROP DATABASE</KeyWord> <KeyWord Type="Literal">DROP CUBE</KeyWord> <KeyWord Type="Literal">DROP FUNCTION</KeyWord> <KeyWord Type="Literal">DROP INDEX </KeyWord> <KeyWord Type="Literal">DROP PROCEDURE</KeyWord> <KeyWord Type="Literal">DROP TABLE</KeyWord> <KeyWord Type="Literal">DROP TRIGGER</KeyWord> <KeyWord Type="Literal">DROP VIEW</KeyWord> <KeyWord Type="Literal">ALTER DATABASE</KeyWord> <KeyWord Type="Literal">ALTER CUBE</KeyWord> <KeyWord Type="Literal">ALTER FUNCTION</KeyWord> <KeyWord Type="Literal">ALTER PROCEDURE</KeyWord> <KeyWord Type="Literal">ALTER TABLE</KeyWord> <KeyWord Type="Literal">ALTER TRIGGER</KeyWord> <KeyWord Type="Literal">ALTER VIEW</KeyWord> <KeyWord Type="Literal">CREATE DATABASE</KeyWord> <KeyWord Type="Literal">CREATE CUBE</KeyWord> <KeyWord Type="Literal">CREATE FUNCTION</KeyWord> <KeyWord Type="Literal">CREATE INDEX </KeyWord> <KeyWord Type="Literal">CREATE PROCEDURE</KeyWord> <KeyWord Type="Literal">CREATE TABLE</KeyWord> <KeyWord Type="Literal">CREATE TRIGGER</KeyWord> <KeyWord Type="Literal">CREATE VIEW</KeyWord> <KeyWord Type="Literal">SHUTDOWN</KeyWord> <KeyWord Type="Literal">SELECT @@SERVERNAME</KeyWord> <KeyWord Type="Literal">SELECT @@DATABASE</KeyWord> <KeyWord Type="Literal">SELECT @@SERVICENAME</KeyWord> <KeyWord Type="Literal">SELECT @@VERSION</KeyWord> <KeyWord Type="Literal">ASCII</KeyWord> <KeyWord Type="Literal">DUMP DATABASE</KeyWord> <KeyWord Type="Literal">DUMP TRANSACTION</KeyWord> <KeyWord Type="Literal">BACKUP DATABASE</KeyWord> <KeyWord Type="Literal">BACKUP LOG</KeyWord> <KeyWord Type="Literal">DTS</KeyWord> <KeyWord Type="Literal">DBCC</KeyWord> <KeyWord Type="Literal">QUOTENAME</KeyWord> <KeyWord Type="Literal">CALL</KeyWord> <KeyWord Type="Literal">TRUNCATE</KeyWord> <KeyWord Type="Literal">CONNECT TO</KeyWord> <KeyWord Type="Literal">CURRENT_USER</KeyWord> <KeyWord Type="Literal">DB_ID</KeyWord> <KeyWord Type="Literal">DB_NAME</KeyWord> <KeyWord Type="Literal">DB_SETTIME</KeyWord> <KeyWord Type="Literal">GRANT</KeyWord> <KeyWord Type="Literal">DENY</KeyWord> <KeyWord Type="Literal">KILL</KeyWord> <KeyWord Type="Literal">PERMISSIONS</KeyWord> <KeyWord Type="Literal">REVOKE</KeyWord> <KeyWord Type="Literal">GET CONNECTION</KeyWord> <KeyWord Type="Literal">HAS_DBACCESS</KeyWord> <KeyWord Type="Literal">NO_LOG</KeyWord> <KeyWord Type="Literal">NO_TRUNCATE</KeyWord> <KeyWord Type="Literal">NO_WAIT</KeyWord> <KeyWord Type="Literal">OFFLINE</KeyWord> <KeyWord Type="Literal">ONLINE</KeyWord> <KeyWord Type="Literal">HOST_NAME</KeyWord> <KeyWord Type="Literal">PRINT</KeyWord> <KeyWord Type="Literal">COMPUTE</KeyWord> <KeyWord Type="Literal">PARTIAL</KeyWord> <KeyWord Type="Literal">RESTORE</KeyWord> <KeyWord Type="Literal">SETUSER</KeyWord> <KeyWord Type="Literal">begin</KeyWord> <KeyWord Type="Literal">end</KeyWord> <KeyWord Type="Literal">declare</KeyWord> <KeyWord Type="Literal">IS_SRVROLEMEMBER</KeyWord> <KeyWord Type="Literal">IS_MEMBER</KeyWord> <KeyWord Type="Literal">HAS_DBACCESS</KeyWord> <KeyWord Type="Literal">SUSER_SID</KeyWord> <KeyWord Type="Literal">SUSER_SNAME </KeyWord> <KeyWord Type="Literal">USER_ID</KeyWord> <KeyWord Type="Literal">sp_addlogin</KeyWord> <KeyWord Type="Literal">sp_grantlogin</KeyWord> <KeyWord Type="Literal">sp_password</KeyWord> <KeyWord Type="Literal">sp_ActiveDirectory_Obj</KeyWord> <KeyWord Type="Literal">raiserror</KeyWord> <KeyWord Type="Literal">1=1</KeyWord> <KeyWord Type="Literal">sp_makewebtask </KeyWord> <KeyWord Type="Literal">NULL</KeyWord> <KeyWord Type="Literal">OPENQUERY</KeyWord> <KeyWord Type="Literal">OPENROWSET</KeyWord> <KeyWord Type="Literal">Lock table</KeyWord> <KeyWord Type="Literal">PARSENAME</KeyWord> <KeyWord Type="parameterized">sp_*</KeyWord> <KeyWord Type="parameterized">XP_*</KeyWord> <KeyWord Type="parameterized">*_XP</KeyWord> <KeyWord Type="parameterized">master..*</KeyWord> <KeyWord Type="parameterized">master.system.*</KeyWord> <KeyWord Type="parameterized">master.dbo.*</KeyWord> <KeyWord Type="parameterized">CHAR(*)</KeyWord> </KeyWords> <WhiteSpaces> <WhiteSpace>#13</WhiteSpace> <WhiteSpace>#10</WhiteSpace> <WhiteSpace>#20</WhiteSpace> </WhiteSpaces> <Delimiters> <Deliminater>'</Deliminater> <Deliminater>`</Deliminater> <Deliminater>--</Deliminater> <Deliminater>"</Deliminater> <Deliminater>;</Deliminater> <Deliminater>#13</Deliminater> <Deliminater>#10</Deliminater> </Delimiters> Kellox wrote:
hi everyone! i was just wondering if this filter function written in php is safe against sql injections: function filter($string) { $replace = ""; $search = array(">", "<", "|", ";"); $result = mysql_escape_string( str_replace($search, $replace, $string)); return $result; } or could anyone imagine an sql injection attack which bypasses this filter function? ___________________________________________________________________________ mymail - der unschlagbare und kostenlose E-Mail-Dienst der Schweiz! http://mymail.ch/?redirect=9999 Kaspersky Anti Virus 6.0 - So schützen Sie Ihren PC zuverlässig! http://ad.zanox.com/ppc/?4997698C625979254T
Current thread:
- PHP filter function against SQL injections Kellox (Feb 07)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 07)
- Re: PHP filter function against SQL injections jeff (Feb 07)
- Re: PHP filter function against SQL injections Koen Bossaert (Feb 08)
- Re: PHP filter function against SQL injections Kellox (Feb 08)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 08)
- Re: PHP filter function against SQL injections Terra Frost (Feb 09)
- Message not available
- Re: PHP filter function against SQL injections Terra Frost (Feb 12)
- Re: PHP filter function against SQL injections Kellox (Feb 08)
- Re: PHP filter function against SQL injections Kellox (Feb 09)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 09)
- Re: PHP filter function against SQL injections Nic Stevens (Feb 12)
- <Possible follow-ups>
- FW: PHP filter function against SQL injections kevin fielder (Feb 08)