Security Basics mailing list archives
Re: PHP filter function against SQL injections
From: Nic Stevens <nic.stevens () gmail com>
Date: Sat, 10 Feb 2007 07:35:36 -0800
Although PHP is a typeless language it's possible to cast variables to ints or floats. If your form is sending integers cast them to integers. This should not, however, be the only line of defense. The form should validate it's own input via javascript. e.g., (if (form.field.value <= 0 || form.field.value >= arbitrary_limit) return false;)
If you're using strings you should also decode them from embedded url encoded data with urldecode() e.g., str = urldecode(str). This will convert embedded hexcoded characters.
I would suggest, though, using data filtering on the form using javascript as your first line of defense. If you're accepting a string, for example, only allow valid characters to be placed in the form field. (I don't know the event handler syntax off hand but I know it can be done)
Good luck, Nic jeffrey rivero wrote:
what if a must be an integer and not a string ? Kellox wrote:well, that does only work if the variable is not included between two single quotes.consider $sSql .= " where a = ". '$var';in your code snippet. if you would inject or 1=1 in this case, the string would bewhere a = 'or 1=1', which actually is a string but not a sql command. jeffrey rivero wrote:Hello Good Questions ok for the1.Single and double-quotes will be escaped by the function call mysql_escape_string(). yep but what i am passing does not have " or ' in them think more like or 1 = 1 and assume that your var is a numberso the injections would look like $sSql = "select a,b,c "; $sSql .= "from Table_1"; $sSql .= " where a = ".$var; now if $var was lets say "1 or 1 = 1" your resulting injection string would be select a,b,c from Table_1 where a = 1 or 1 = 1 which might now be what you want 2. union injection ?? 3. not sure will a post command still do a url encode ?? anyone ? Kellox wrote:Hi Thx for your information so far. Jeffrey Rivero wrote: > how about something like > " or 1 = 1" > ??Single and double-quotes will be escaped by the function call mysql_escape_string().jeff () downtowndevelopmentplan com wrote:> Don't forget that the best way to sanitize incoming data is to only allow > known-good input. Attempting to filter against a list of bad characters has > historically proven itself futile. Rewrite your function to only allow the> characters that your application expects. > > -JeffActually I always use your recommended whitelist approach. but since this filter function is part of a review I'm doing at the moment, I was asking the question about a possible SQL injection attack.Pete Pinter wrote:> Won't hex encoded strings get through? You might want to check out this> link: > > http://www.securityfocus.com/infocus/1768 > > Cheers, > /p2As I can see hexencoded strings will also be filtered by the function mysql_escape_string(). For example %27 will be converted into the ASCII-character ' and then it will be escaped by \ resulting it into \'. So hexencoded strings can't bypass this filter, can they?Greetings Koen Bossaert wrote:You probably also don't want * and %. You can also make use of prepared statements or stored procedures against SQL Injection. Regards, Koen On 2/7/07, Kellox <kellox () mymail ch> wrote:hi everyone!i was just wondering if this filter function written in php is safe againstsql injections: function filter($string) { $replace = ""; $search = array(">", "<", "|", ";");$result = mysql_escape_string( str_replace($search, $replace, $string));return $result; }or could anyone imagine an sql injection attack which bypasses this filterfunction?___________________________________________________________________________
Current thread:
- PHP filter function against SQL injections Kellox (Feb 07)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 07)
- Re: PHP filter function against SQL injections jeff (Feb 07)
- Re: PHP filter function against SQL injections Koen Bossaert (Feb 08)
- Re: PHP filter function against SQL injections Kellox (Feb 08)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 08)
- Re: PHP filter function against SQL injections Terra Frost (Feb 09)
- Message not available
- Re: PHP filter function against SQL injections Terra Frost (Feb 12)
- Re: PHP filter function against SQL injections Kellox (Feb 08)
- Re: PHP filter function against SQL injections Kellox (Feb 09)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 09)
- Re: PHP filter function against SQL injections Nic Stevens (Feb 12)
- <Possible follow-ups>
- FW: PHP filter function against SQL injections kevin fielder (Feb 08)
- Re: PHP filter function against SQL injections Henry Troup (Feb 12)
- Re: PHP filter function against SQL injections Henry Troup (Feb 13)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 14)
- RE: PHP filter function against SQL injections Dan Anderson (Feb 19)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 14)
- Re: Re: PHP filter function against SQL injections ianbow (Feb 14)