Security Basics mailing list archives
FW: PHP filter function against SQL injections
From: "kevin fielder" <kevin.fielder () gmail com>
Date: Thu, 8 Feb 2007 18:42:34 +0000
Hi Agree completely with the below - it's generally a better practice to allow a specific data set rather than attempt to block specific undesirable characters. Also, I'm not 100% up on php, but it is sometimes possible to do things like using unicode to replace special characters when attempting this type of attack. So while using code to restrict the allowed input characters is no badthing it should no be considered a silver bullet against this form of attack, and should be used in conjunction with secure coding practices, hardened databases, application rights on the database kept to a minimum, using stored procs etc etc. Thanks Kevin -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of jeff () downtowndevelopmentplan com Sent: 07 February 2007 19:57 To: Kellox Cc: security-basics () securityfocus com Subject: Re: PHP filter function against SQL injections On Wed, Feb 07, 2007 at 05:54:52PM +0100, Kellox wrote:
i was just wondering if this filter function written in php is safe
against
sql injections: function filter($string) { $replace = ""; $search = array(">", "<", "|", ";"); $result = mysql_escape_string( str_replace($search, $replace,
$string));
return $result; }
Don't forget that the best way to sanitize incoming data is to only allow known-good input. Attempting to filter against a list of bad characters has historically proven itself futile. Rewrite your function to only allow the characters that your application expects. -Jeff
Current thread:
- Re: PHP filter function against SQL injections, (continued)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 07)
- Re: PHP filter function against SQL injections jeff (Feb 07)
- Re: PHP filter function against SQL injections Koen Bossaert (Feb 08)
- Re: PHP filter function against SQL injections Kellox (Feb 08)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 08)
- Re: PHP filter function against SQL injections Terra Frost (Feb 09)
- Message not available
- Re: PHP filter function against SQL injections Terra Frost (Feb 12)
- Re: PHP filter function against SQL injections Kellox (Feb 08)
- Re: PHP filter function against SQL injections Kellox (Feb 09)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 09)
- Re: PHP filter function against SQL injections Nic Stevens (Feb 12)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 14)
- RE: PHP filter function against SQL injections Dan Anderson (Feb 19)