Re: PHP filter function against SQL injections

[Kellox <kellox () my-mail ch>]

Hi

Thx for your information so far.

Jeffrey Rivero wrote:
> how about something like
> " or 1 = 1"
> ??

Single and double-quotes will be escaped by the function call 
mysql_escape_string().


jeff () downtowndevelopmentplan com wrote:
> Don't forget that the best way to sanitize incoming data is to only 
allow
> known-good input.  Attempting to filter against a list of bad 
characters has
> historically proven itself futile.  Rewrite your function to only 
allow the
> characters that your application expects.
>
> -Jeff

Actually I always use your recommended whitelist approach. but since 
this filter function is part of a review I'm doing at the moment, I was 
asking the question about a possible SQL injection attack.


Pete Pinter wrote:
> Won't hex encoded strings get through? You might want to check out this
> link:
>
> http://www.securityfocus.com/infocus/1768
>
> Cheers,
> /p2

As I can see hexencoded strings will also be filtered by the function 
mysql_escape_string(). For example %27 will be converted into the 
ASCII-character ' and then it will be escaped by \ resulting it into \'. 
So hexencoded strings can't bypass this filter, can they?

Greetings


Koen Bossaert wrote:
> You probably also don't want * and %.
> You can also make use of prepared statements or stored procedures
> against SQL Injection.
>
> Regards,
> Koen
>
> On 2/7/07, Kellox <kellox () mymail ch> wrote:
> > hi everyone!
> >
> > i was just wondering if this filter function written in php is safe 
> > against
> > sql injections:
> >
> > function filter($string) {
> >   $replace = "";
> >   $search = array(">", "<", "|", ";");
> >   $result = mysql_escape_string( str_replace($search, $replace, 
> > $string));
> >   return $result;
> > }
> >
> > or could anyone imagine an sql injection attack which bypasses this 
> > filter
> > function?
> > ___________________________________________________________________________