Security Basics mailing list archives
Re: PHP filter function against SQL injections
From: Kellox <kellox () my-mail ch>
Date: Thu, 08 Feb 2007 13:31:08 +0100
Hi Thx for your information so far. Jeffrey Rivero wrote: > how about something like > " or 1 = 1" > ??Single and double-quotes will be escaped by the function call mysql_escape_string().
jeff () downtowndevelopmentplan com wrote:> Don't forget that the best way to sanitize incoming data is to only allow > known-good input. Attempting to filter against a list of bad characters has > historically proven itself futile. Rewrite your function to only allow the
> characters that your application expects. > > -JeffActually I always use your recommended whitelist approach. but since this filter function is part of a review I'm doing at the moment, I was asking the question about a possible SQL injection attack.
Pete Pinter wrote: > Won't hex encoded strings get through? You might want to check out this > link: > > http://www.securityfocus.com/infocus/1768 > > Cheers, > /p2As I can see hexencoded strings will also be filtered by the function mysql_escape_string(). For example %27 will be converted into the ASCII-character ' and then it will be escaped by \ resulting it into \'. So hexencoded strings can't bypass this filter, can they?
Greetings Koen Bossaert wrote:
You probably also don't want * and %. You can also make use of prepared statements or stored procedures against SQL Injection. Regards, Koen On 2/7/07, Kellox <kellox () mymail ch> wrote:hi everyone!i was just wondering if this filter function written in php is safe againstsql injections: function filter($string) { $replace = ""; $search = array(">", "<", "|", ";");$result = mysql_escape_string( str_replace($search, $replace, $string));return $result; }or could anyone imagine an sql injection attack which bypasses this filterfunction?___________________________________________________________________________
Current thread:
- PHP filter function against SQL injections Kellox (Feb 07)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 07)
- Re: PHP filter function against SQL injections jeff (Feb 07)
- Re: PHP filter function against SQL injections Koen Bossaert (Feb 08)
- Re: PHP filter function against SQL injections Kellox (Feb 08)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 08)
- Re: PHP filter function against SQL injections Terra Frost (Feb 09)
- Message not available
- Re: PHP filter function against SQL injections Terra Frost (Feb 12)
- Re: PHP filter function against SQL injections Kellox (Feb 08)
- Re: PHP filter function against SQL injections Kellox (Feb 09)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 09)
- Re: PHP filter function against SQL injections Nic Stevens (Feb 12)
- <Possible follow-ups>
- FW: PHP filter function against SQL injections kevin fielder (Feb 08)
- Re: PHP filter function against SQL injections Henry Troup (Feb 12)
- Re: PHP filter function against SQL injections Henry Troup (Feb 13)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 14)