FW: PHP filter function against SQL injections

["kevin fielder" <kevin.fielder () gmail com>]

Hi

Agree completely with the below - it's generally a better practice to
allow a specific data set rather than attempt to block specific
undesirable characters.

Also, I'm not 100% up on php, but it is sometimes possible to do things
like using unicode to replace special characters when attempting this
type of attack.  So while using code to restrict the allowed input
characters is no badthing it should no be considered a silver bullet
against this form of attack, and should be used in conjunction with
secure coding practices, hardened databases, application rights on the
database kept to a minimum, using stored procs etc etc.

Thanks

Kevin


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of jeff () downtowndevelopmentplan com
Sent: 07 February 2007 19:57
To: Kellox
Cc: security-basics () securityfocus com
Subject: Re: PHP filter function against SQL injections

On Wed, Feb 07, 2007 at 05:54:52PM +0100, Kellox wrote:

> i was just wondering if this filter function written in php is safe
against
> sql injections:
>
> function filter($string) {
>   $replace = "";
>   $search = array(">", "<", "|", ";");
>   $result = mysql_escape_string( str_replace($search, $replace,
$string));
>   return $result;
> }

Don't forget that the best way to sanitize incoming data is to only
allow
known-good input.  Attempting to filter against a list of bad characters
has
historically proven itself futile.  Rewrite your function to only allow
the
characters that your application expects.

-Jeff