PHP/MySQL injection

Re: PHP/MySQL injection

On 2005-07-25, Willem-Jan <wjzeeuwen@home .nl> wrote:[color=blue]
> Hi all,
>
> Im a newbee in PHP and MySQL. Im wondering if there is a standard
> combination of functions u should use on variabels psoted by a form
> before u add them to a database. Something like:
>
> $var = trim(addslashes ($_POST['test']));[/color]

Usually it goes like:


1-) Retrieve values from the $_POST array..

$clean = array();

// we are expecting foo to be an integer..
if (isset($_POST['foo']) && $_POST['foo'] ==
strval(intval($ _POST['foo'])
{
$clean['foo'] = $_POST['foo'];
}

2-) Build your query...
$sql .= "foo='" . mysql_real_esca pe_string($clea n['foo']) . "'";


More info at http://www.php.net/mysql_real_escape_string
You might want to consider a class to generate the SQL...
You might want to consider a DBMS that supports prepared statements...



--
Met vriendelijke groeten,
Tim Van Wassenhove <http://timvw.madoka.be >

Re: PHP/MySQL injection

That's a very good question and also a suggestion Willem, Even me, I
do look sometimes for that kinda function on my development. However,
I do believe there's a reason why a built-in function like that doesnt
exist. It 's just to prevent a lockout to a certain function
considering not all requirements doesn't support that solution. "or
you'll end up looking for a function that does this but does not do
that". however, creating a standard function for that based upon the
foundation of YOUR requirement will help your project and projects to
come.

Here's some list to include in your function:

checking the existence of the variable
checking the variable type, eg. Is it numeric, a boolean value or
a string?
checking the length
specifying a the response url if the condition above was not
satisfied
then return the value of the requested parameter.

Well, its up to you on what you'll gonna be including on your function.
Take some time to code for it, you'll see the benefit (And the
problems!) soon when you use it.

Cheers!

Re: PHP/MySQL injection

In article <dc3t0g$fa9$1@n ews2.zwoll1.ov. home.nl>,
Willem-Jan <wjzeeuwen@home .nl> wrote:
[color=blue]
> Hi all,
>
> Im a newbee in PHP and MySQL. Im wondering if there is a standard
> combination of functions u should use on variabels psoted by a form
> before u add them to a database. Something like:
>
> $var = trim(addslashes ($_POST['test']));
>
> Thanx,
> WJ[/color]


This is what I use:





Feel free to use it. It also handles (hopefully) cross scripting (aka
someone taps some javascript into the field for the next sucker to run).

--
Available for Hire! http://amduus.com/Resumes/

Re: PHP/MySQL injection

Willem-Jan wrote:
[color=blue]
> Hi all,
>
> Im a newbee in PHP and MySQL. Im wondering if there is a standard
> combination of functions u should use on variabels psoted by a form
> before u add them to a database. Something like:
>
> $var = trim(addslashes ($_POST['test']));
>
> Thanx,
> WJ[/color]

mysql_escape_st ring()

C.

Re: PHP/MySQL injection

Scott Auge wrote:
[color=blue]
> This is what I use:
>
> http://amduus.com/phpezine/archive/Issue2.pdf
>
> http://amduus.com/phpezine/archive/issue2.zip[/color]

So, if I want to do something starting from scratch, I strip out HTML tags,
semi-colons and quotes I am killing off a fair amount of vandalism. This
would involve checking both form fields and stuff from the end of urls (I
can never remember the correct term of variables passed there).

Not crucial, as my application is only used by myself and is not publically
accessable, but it would be nice to have a bit of a go.

Suppose if I were expecting alpha numeric stuff (including hyphen) a regular
expression on [ 0-9a-zA-Z-]* would not be a bad place to start.

Pete

--

Re: PHP/MySQL injection

On Tue, 26 Jul 2005 09:22:31 +0100, Colin McKinnon
<colin.deleteth is@andthis.mms3 .com> wrote:
[color=blue]
>Willem-Jan wrote:
>[color=green]
>> Im a newbee in PHP and MySQL. Im wondering if there is a standard
>> combination of functions u should use on variabels psoted by a form
>> before u add them to a database. Something like:
>>
>> $var = trim(addslashes ($_POST['test']));[/color]
>
>mysql_escape_s tring()[/color]

Yep, or use a library that emulates placeholders, despite MySQL (production
versions, anyway) not supporting them natively - ADOdb is my favourite. The
correct escaping is then done consistently by the library, saving you from
introducing a problem by the one time you forget to use mysql_escape_st ring().

--
Andy Hassall / <andy@andyh.co. uk> / <http://www.andyh.co.uk >
<http://www.andyhsoftwa re.co.uk/space> Space: disk usage analysis tool