Re: PHP filter function against SQL injections


Although PHP is a typeless language it's possible to cast variables to ints or floats. If your form is sending integers cast them to integers. This should not, however, be the only line of defense. The form should validate it's own input via javascript. e.g.,
(if (form.field.value <= 0 || form.field.value >= arbitrary_limit) return false;)

If you're using strings you should also decode them from embedded url encoded data with urldecode() e.g., str = urldecode(str). This will convert embedded hexcoded characters.

I would suggest, though, using data filtering on the form using javascript as your first line of defense. If you're accepting a string, for example, only allow valid characters to be placed in the form field. (I don't know the event handler syntax off hand but I know it can be done)

Good luck,
Nic

jeffrey rivero wrote:
what if a must be an integer and not a string ?

Kellox wrote:
well, that does only work if the variable is not included between two single quotes.

consider

$sSql .= " where a = ". '$var';

in your code snippet. if you would inject or 1=1 in this case, the string would be

where a = 'or 1=1', which actually is a string but not a sql command.

jeffrey rivero wrote:
Hello
Good Questions
ok for the
1.Single and double-quotes will be escaped by the function call mysql_escape_string().
yep but what i am passing does not have " or ' in them think more like or 1 = 1 and assume that your var is a number
so the injections would look like

$sSql = "select a,b,c ";
$sSql .= "from Table_1";
$sSql .= " where a = ".$var;
now if $var was lets say "1 or 1 = 1"
your resulting injection string would be
select a,b,c from Table_1 where a = 1 or 1 = 1
which might now be what you want

2. union injection ??
3. not sure will a post command still do a url encode ?? anyone ?


Kellox wrote:
Hi

Thx for your information so far.

Jeffrey Rivero wrote:
> how about something like
> " or 1 = 1"
> ??

Single and double-quotes will be escaped by the function call mysql_escape_string().


jeff@xxxxxxxxxxxxxxxxxxxxxxxxxxx wrote:
> Don't forget that the best way to sanitize incoming data is to only allow
> known-good input. Attempting to filter against a list of bad characters has
> historically proven itself futile. Rewrite your function to only allow the
> characters that your application expects.
>
> -Jeff

Actually I always use your recommended whitelist approach. but since this filter function is part of a review I'm doing at the moment, I was asking the question about a possible SQL injection attack.


Pete Pinter wrote:
> Won't hex encoded strings get through? You might want to check out this
> link:
>
> http://www.securityfocus.com/infocus/1768
>
> Cheers,
> /p2

As I can see hexencoded strings will also be filtered by the function mysql_escape_string(). For example %27 will be converted into the ASCII-character ' and then it will be escaped by \ resulting it into \'. So hexencoded strings can't bypass this filter, can they?

Greetings


Koen Bossaert wrote:
You probably also don't want * and %.
You can also make use of prepared statements or stored procedures
against SQL Injection.

Regards,
Koen

On 2/7/07, Kellox <kellox@xxxxxxxxx> wrote:
hi everyone!

i was just wondering if this filter function written in php is safe against
sql injections:

function filter($string) {
$replace = "";
$search = array(">", "<", "|", ";");
$result = mysql_escape_string( str_replace($search, $replace, $string));
return $result;
}

or could anyone imagine an sql injection attack which bypasses this filter
function?
___________________________________________________________________________





Relevant Pages

  • Re: MSSQL LIKE and IN statements in ADO problem
    ... SQL statement. ... Thus producing a more general solution for SQL injection prone areas. ... Also, when it comes to filtering of hazardous characters, I think its ... better to allow only those characters one needs than to filter out SQL ...
    (comp.lang.python)
  • Re: How to filter a .csv file based on the integer value in one specific field (per record)
    ... I have a large .csv file full of text & numbers. ... I would like to 'filter' this file based on several 'keys', 2 text strings ... I can see a way of using grep to filter on the two strings, ...
    (comp.unix.shell)
  • Re: PHP filter function against SQL injections
    ... Single and double-quotes will be escaped by the function call mysql_escape_string. ... but since this filter function is part of a review I'm doing at the moment, I was asking the question about a possible SQL injection attack. ... As I can see hexencoded strings will also be filtered by the function mysql_escape_string. ...
    (Security-Basics)
  • Re: Displaying User-Supplied String
    ... Request.Form value was detected from the client ... Are you talking about SQL Injection i.e. the strings supplied by the ... Jesse Houwing ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: I dont uderstand ISA Logs
    ... IMO you can filter without too much of an issue. ... define specific strings and use those to indicate desired ... >> I don't understand how I can group the records in SQL to ... >> log files. ...
    (microsoft.public.isa)