Security Basics mailing list archives

Re: PHP filter function against SQL injections

From: jeffrey rivero <jeffr76 () yahoo com>
Date: Wed, 07 Feb 2007 15:15:00 -0500

also a union  could be an issue depending on the location of the union
ie.

$myval = pastvar['post']
$sql = 'select a, b, c';
$sql .= 'From table_1';
$sql .= 'where a = ' . filter($myval);
now if i entered this in the post_var
$myval = "1 union all select a,b,c from table_1";
what would happend :)
our results would not be ideal
:)
hope this helped
ps. you might also want to look at the xml i sent

this is the SQL injection project i created a while ago its by no means100% but should get you to about 70% ish

so the work now
formula
D(WS)*[RW](WS)*D
Where :
   D  : deliminator
   WS : White Space
   RW : Reserve Word
        RW can be in two types
          Literal       : Standard string like "SELECT" or "SELECT TOP"

parameterized : Strings that allow subistition like "xp_*"which would

                            find any string that starts with a "xp_"

Note : the * can be anyware in theParameterized String

                                  Like "SELECT*FROM"

and i load it with an XML file something like
  <KeyWords>
      <KeyWord Type="parameterized">SELECT*FROM</KeyWord>
      <KeyWord Type="Literal">UNION</KeyWord>
      <KeyWord Type="Literal">INSERT INTO</KeyWord>
      <KeyWord Type="Literal">DROP DATABASE</KeyWord>
      <KeyWord Type="Literal">DROP CUBE</KeyWord>
      <KeyWord Type="Literal">DROP FUNCTION</KeyWord>
      <KeyWord Type="Literal">DROP INDEX </KeyWord>
      <KeyWord Type="Literal">DROP PROCEDURE</KeyWord>
      <KeyWord Type="Literal">DROP TABLE</KeyWord>
      <KeyWord Type="Literal">DROP TRIGGER</KeyWord>
      <KeyWord Type="Literal">DROP VIEW</KeyWord>
      <KeyWord Type="Literal">ALTER DATABASE</KeyWord>
      <KeyWord Type="Literal">ALTER CUBE</KeyWord>
      <KeyWord Type="Literal">ALTER FUNCTION</KeyWord>
      <KeyWord Type="Literal">ALTER PROCEDURE</KeyWord>
      <KeyWord Type="Literal">ALTER TABLE</KeyWord>
      <KeyWord Type="Literal">ALTER TRIGGER</KeyWord>
      <KeyWord Type="Literal">ALTER VIEW</KeyWord>
      <KeyWord Type="Literal">CREATE DATABASE</KeyWord>
      <KeyWord Type="Literal">CREATE CUBE</KeyWord>
      <KeyWord Type="Literal">CREATE FUNCTION</KeyWord>
      <KeyWord Type="Literal">CREATE INDEX </KeyWord>
      <KeyWord Type="Literal">CREATE PROCEDURE</KeyWord>
      <KeyWord Type="Literal">CREATE TABLE</KeyWord>
      <KeyWord Type="Literal">CREATE TRIGGER</KeyWord>
      <KeyWord Type="Literal">CREATE VIEW</KeyWord>
      <KeyWord Type="Literal">SHUTDOWN</KeyWord>
      <KeyWord Type="Literal">SELECT @@SERVERNAME</KeyWord>
      <KeyWord Type="Literal">SELECT @@DATABASE</KeyWord>
      <KeyWord Type="Literal">SELECT @@SERVICENAME</KeyWord>
      <KeyWord Type="Literal">SELECT @@VERSION</KeyWord>
      <KeyWord Type="Literal">ASCII</KeyWord>
      <KeyWord Type="Literal">DUMP DATABASE</KeyWord>
      <KeyWord Type="Literal">DUMP TRANSACTION</KeyWord>
      <KeyWord Type="Literal">BACKUP DATABASE</KeyWord>
      <KeyWord Type="Literal">BACKUP LOG</KeyWord>
      <KeyWord Type="Literal">DTS</KeyWord>
      <KeyWord Type="Literal">DBCC</KeyWord>
      <KeyWord Type="Literal">QUOTENAME</KeyWord>
      <KeyWord Type="Literal">CALL</KeyWord>
      <KeyWord Type="Literal">TRUNCATE</KeyWord>
      <KeyWord Type="Literal">CONNECT TO</KeyWord>
      <KeyWord Type="Literal">CURRENT_USER</KeyWord>
      <KeyWord Type="Literal">DB_ID</KeyWord>
      <KeyWord Type="Literal">DB_NAME</KeyWord>
      <KeyWord Type="Literal">DB_SETTIME</KeyWord>
      <KeyWord Type="Literal">GRANT</KeyWord>
      <KeyWord Type="Literal">DENY</KeyWord>
      <KeyWord Type="Literal">KILL</KeyWord>
      <KeyWord Type="Literal">PERMISSIONS</KeyWord>
      <KeyWord Type="Literal">REVOKE</KeyWord>
      <KeyWord Type="Literal">GET CONNECTION</KeyWord>
      <KeyWord Type="Literal">HAS_DBACCESS</KeyWord>
      <KeyWord Type="Literal">NO_LOG</KeyWord>
      <KeyWord Type="Literal">NO_TRUNCATE</KeyWord>
      <KeyWord Type="Literal">NO_WAIT</KeyWord>
      <KeyWord Type="Literal">OFFLINE</KeyWord>
      <KeyWord Type="Literal">ONLINE</KeyWord>
      <KeyWord Type="Literal">HOST_NAME</KeyWord>
      <KeyWord Type="Literal">PRINT</KeyWord>
      <KeyWord Type="Literal">COMPUTE</KeyWord>
      <KeyWord Type="Literal">PARTIAL</KeyWord>
      <KeyWord Type="Literal">RESTORE</KeyWord>
      <KeyWord Type="Literal">SETUSER</KeyWord>
      <KeyWord Type="Literal">begin</KeyWord>
      <KeyWord Type="Literal">end</KeyWord>
      <KeyWord Type="Literal">declare</KeyWord>
      <KeyWord Type="Literal">IS_SRVROLEMEMBER</KeyWord>
      <KeyWord Type="Literal">IS_MEMBER</KeyWord>
      <KeyWord Type="Literal">HAS_DBACCESS</KeyWord>
      <KeyWord Type="Literal">SUSER_SID</KeyWord>
      <KeyWord Type="Literal">SUSER_SNAME </KeyWord>
      <KeyWord Type="Literal">USER_ID</KeyWord>
      <KeyWord Type="Literal">sp_addlogin</KeyWord>
      <KeyWord Type="Literal">sp_grantlogin</KeyWord>
      <KeyWord Type="Literal">sp_password</KeyWord>
      <KeyWord Type="Literal">sp_ActiveDirectory_Obj</KeyWord>
      <KeyWord Type="Literal">raiserror</KeyWord>
      <KeyWord Type="Literal">1=1</KeyWord>
      <KeyWord Type="Literal">sp_makewebtask </KeyWord>
      <KeyWord Type="Literal">NULL</KeyWord>
      <KeyWord Type="Literal">OPENQUERY</KeyWord>
      <KeyWord Type="Literal">OPENROWSET</KeyWord>
      <KeyWord Type="Literal">Lock table</KeyWord>
      <KeyWord Type="Literal">PARSENAME</KeyWord>
      <KeyWord Type="parameterized">sp_*</KeyWord>
      <KeyWord Type="parameterized">XP_*</KeyWord>
      <KeyWord Type="parameterized">*_XP</KeyWord>
      <KeyWord Type="parameterized">master..*</KeyWord>
      <KeyWord Type="parameterized">master.system.*</KeyWord>
      <KeyWord Type="parameterized">master.dbo.*</KeyWord>
      <KeyWord Type="parameterized">CHAR(*)</KeyWord>
   </KeyWords>
   <WhiteSpaces>
      <WhiteSpace>#13</WhiteSpace>
      <WhiteSpace>#10</WhiteSpace>
      <WhiteSpace>#20</WhiteSpace>
   </WhiteSpaces>
   <Delimiters>
      <Deliminater>'</Deliminater>
      <Deliminater>`</Deliminater>
      <Deliminater>--</Deliminater>
      <Deliminater>"</Deliminater>
      <Deliminater>;</Deliminater>
      <Deliminater>#13</Deliminater>
      <Deliminater>#10</Deliminater>
   </Delimiters>




Kellox wrote:

hi everyone!

i was just wondering if this filter function written in php is safe against
sql injections:

function filter($string) {
  $replace = "";
  $search = array(">", "<", "|", ";");
  $result = mysql_escape_string( str_replace($search, $replace, $string));
  return $result;
}

or could anyone imagine an sql injection attack which bypasses this filter
function?
___________________________________________________________________________
mymail - der unschlagbare und kostenlose E-Mail-Dienst der Schweiz!
http://mymail.ch/?redirect=9999
Kaspersky Anti Virus 6.0 - So schützen Sie Ihren PC zuverlässig!
http://ad.zanox.com/ppc/?4997698C625979254T

Current thread:

PHP filter function against SQL injections Kellox (Feb 07)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 07)
- Re: PHP filter function against SQL injections jeff (Feb 07)
- Re: PHP filter function against SQL injections Koen Bossaert (Feb 08)
  - Re: PHP filter function against SQL injections Kellox (Feb 08)
    - Re: PHP filter function against SQL injections jeffrey rivero (Feb 08)
    - Re: PHP filter function against SQL injections Terra Frost (Feb 09)
    - Message not available
    - Re: PHP filter function against SQL injections Terra Frost (Feb 12)
    - Re: PHP filter function against SQL injections Kellox (Feb 09)
    - Re: PHP filter function against SQL injections jeffrey rivero (Feb 09)
    - Re: PHP filter function against SQL injections Nic Stevens (Feb 12)
- <Possible follow-ups>
- FW: PHP filter function against SQL injections kevin fielder (Feb 08)

(Thread continues...)