Re: PHP filter function against SQL injections



what if a must be an integer and not a string ?

Kellox wrote:
well, that does only work if the variable is not included between two single quotes.

consider

$sSql .= " where a = ". '$var';

in your code snippet. if you would inject or 1=1 in this case, the string would be

where a = 'or 1=1', which actually is a string but not a sql command.

jeffrey rivero wrote:
Hello
Good Questions
ok for the
1.Single and double-quotes will be escaped by the function call mysql_escape_string().
yep but what i am passing does not have " or ' in them think more like or 1 = 1 and assume that your var is a number
so the injections would look like

$sSql = "select a,b,c ";
$sSql .= "from Table_1";
$sSql .= " where a = ".$var;
now if $var was lets say "1 or 1 = 1"
your resulting injection string would be
select a,b,c from Table_1 where a = 1 or 1 = 1
which might now be what you want

2. union injection ??
3. not sure will a post command still do a url encode ?? anyone ?


Kellox wrote:
Hi

Thx for your information so far.

Jeffrey Rivero wrote:
> how about something like
> " or 1 = 1"
> ??

Single and double-quotes will be escaped by the function call mysql_escape_string().


jeff@xxxxxxxxxxxxxxxxxxxxxxxxxxx wrote:
> Don't forget that the best way to sanitize incoming data is to only allow
> known-good input. Attempting to filter against a list of bad characters has
> historically proven itself futile. Rewrite your function to only allow the
> characters that your application expects.
>
> -Jeff

Actually I always use your recommended whitelist approach. but since this filter function is part of a review I'm doing at the moment, I was asking the question about a possible SQL injection attack.


Pete Pinter wrote:
> Won't hex encoded strings get through? You might want to check out this
> link:
>
> http://www.securityfocus.com/infocus/1768
>
> Cheers,
> /p2

As I can see hexencoded strings will also be filtered by the function mysql_escape_string(). For example %27 will be converted into the ASCII-character ' and then it will be escaped by \ resulting it into \'. So hexencoded strings can't bypass this filter, can they?

Greetings


Koen Bossaert wrote:
You probably also don't want * and %.
You can also make use of prepared statements or stored procedures
against SQL Injection.

Regards,
Koen

On 2/7/07, Kellox <kellox@xxxxxxxxx> wrote:
hi everyone!

i was just wondering if this filter function written in php is safe against
sql injections:

function filter($string) {
$replace = "";
$search = array(">", "<", "|", ";");
$result = mysql_escape_string( str_replace($search, $replace, $string));
return $result;
}

or could anyone imagine an sql injection attack which bypasses this filter
function?
___________________________________________________________________________






Relevant Pages

  • Re: PHP filter function against SQL injections
    ... which actually is a string but not a sql command. ... your resulting injection string would be ... but since this filter function is part of a review I'm doing at the moment, I was asking the question about a possible SQL injection attack. ...
    (Security-Basics)
  • [NT] Multiple .NET NULL Byte Injection Vulnerabilities (MS07-040)
    ... Get your security news from a reliable source. ... Multiple .NET NULL Byte Injection Vulnerabilities ... through String Termination vulnerabilities. ...
    (Securiteam)
  • Multiple .NET Null Byte Injection Vulnerabilities
    ... .NET namespace are vulnerable to Null byte injection attacks. ... Three of the discovered vulnerabilities allow strings to be ... arbitrary terminated through String Termination vulnerabilities. ... if a user supplies a recipient variable as ...
    (Bugtraq)
  • [Full-disclosure] Multiple .NET Null Byte Injection Vulnerabilities
    ... .NET namespace are vulnerable to Null byte injection attacks. ... Three of the discovered vulnerabilities allow strings to be ... arbitrary terminated through String Termination vulnerabilities. ... if a user supplies a recipient variable as ...
    (Full-Disclosure)
  • Re: how to protect web server against SQL Injection ?
    ... What happens if user try injection with escaped ... But just think about \' character. ... > Public Function SafeSqlLikeClauseLiteral(ByVal inputSQL As String) As ... >>> Use parametised queries and stored procedures. ...
    (microsoft.public.dotnet.framework.aspnet.security)