Re: PHP filter function against SQL injections
- From: Kellox <kellox@xxxxxxxxxx>
- Date: Fri, 09 Feb 2007 14:06:33 +0100
well, that does only work if the variable is not included between two single quotes.
consider
$sSql .= " where a = ". '$var';
in your code snippet. if you would inject or 1=1 in this case, the string would be
where a = 'or 1=1', which actually is a string but not a sql command.
jeffrey rivero wrote:
Hello
Good Questions
ok for the
1.Single and double-quotes will be escaped by the function call mysql_escape_string().
yep but what i am passing does not have " or ' in them think more like or 1 = 1 and assume that your var is a number
so the injections would look like
$sSql = "select a,b,c ";
$sSql .= "from Table_1";
$sSql .= " where a = ".$var;
now if $var was lets say "1 or 1 = 1"
your resulting injection string would be
select a,b,c from Table_1 where a = 1 or 1 = 1
which might now be what you want
2. union injection ??
3. not sure will a post command still do a url encode ?? anyone ?
Kellox wrote:Hi
Thx for your information so far.
Jeffrey Rivero wrote:
> how about something like
> " or 1 = 1"
> ??
Single and double-quotes will be escaped by the function call mysql_escape_string().
jeff@xxxxxxxxxxxxxxxxxxxxxxxxxxx wrote:
> Don't forget that the best way to sanitize incoming data is to only allow
> known-good input. Attempting to filter against a list of bad characters has
> historically proven itself futile. Rewrite your function to only allow the
> characters that your application expects.
>
> -Jeff
Actually I always use your recommended whitelist approach. but since this filter function is part of a review I'm doing at the moment, I was asking the question about a possible SQL injection attack.
Pete Pinter wrote:
> Won't hex encoded strings get through? You might want to check out this
> link:
>
> http://www.securityfocus.com/infocus/1768
>
> Cheers,
> /p2
As I can see hexencoded strings will also be filtered by the function mysql_escape_string(). For example %27 will be converted into the ASCII-character ' and then it will be escaped by \ resulting it into \'. So hexencoded strings can't bypass this filter, can they?
Greetings
Koen Bossaert wrote:You probably also don't want * and %.
You can also make use of prepared statements or stored procedures
against SQL Injection.
Regards,
Koen
On 2/7/07, Kellox <kellox@xxxxxxxxx> wrote:hi everyone!
i was just wondering if this filter function written in php is safe against
sql injections:
function filter($string) {
$replace = "";
$search = array(">", "<", "|", ";");
$result = mysql_escape_string( str_replace($search, $replace, $string));
return $result;
}
or could anyone imagine an sql injection attack which bypasses this filter
function?
___________________________________________________________________________
- Follow-Ups:
- Re: PHP filter function against SQL injections
- From: jeffrey rivero
- Re: PHP filter function against SQL injections
- References:
- PHP filter function against SQL injections
- From: Kellox
- Re: PHP filter function against SQL injections
- From: Koen Bossaert
- Re: PHP filter function against SQL injections
- From: Kellox
- Re: PHP filter function against SQL injections
- From: jeffrey rivero
- PHP filter function against SQL injections
- Prev by Date: Re: PHP filter function against SQL injections
- Next by Date: Re: PHP filter function against SQL injections
- Previous by thread: Re: PHP filter function against SQL injections
- Next by thread: Re: PHP filter function against SQL injections
- Index(es):
Relevant Pages
|
