Re: PHP filter function against SQL injections

[jeffrey rivero <jeffr76 () yahoo com>]

what if a must be an integer and not a string ?

Kellox wrote:
> well, that does only work if the variable is not included between two 
> single quotes.
>
> consider
>
> $sSql .= " where a = ". '$var';
>
> in your code snippet. if you would inject or 1=1 in this case, the 
> string would be
>
> where a = 'or 1=1', which actually is a string but not a sql command.
>
> jeffrey rivero wrote:
> > Hello
> > Good Questions
> > ok for the
> > 1.Single and double-quotes will be escaped by the function call 
> > mysql_escape_string().
> >  yep but what i am passing does not have " or ' in them think more 
> > like or 1 = 1 and assume that your var is a number
> > so the injections would look like
> >
> > $sSql = "select a,b,c ";
> > $sSql .= "from Table_1";
> > $sSql .= " where a = ".$var;
> > now if $var was lets say "1 or 1 = 1"
> > your resulting injection string would be
> > select a,b,c from Table_1 where a = 1 or 1 = 1
> > which might now be what you want
> >
> > 2. union injection ??
> > 3. not sure will a post command still do a url encode ?? anyone ?
> >
> >
> > Kellox wrote:
> > > Hi
> > >
> > > Thx for your information so far.
> > >
> > > Jeffrey Rivero wrote:
> > >  > how about something like
> > >  > " or 1 = 1"
> > >  > ??
> > >
> > > Single and double-quotes will be escaped by the function call 
> > > mysql_escape_string().
> > >
> > >
> > > jeff () downtowndevelopmentplan com wrote:
> > >  > Don't forget that the best way to sanitize incoming data is to 
> > > only allow
> > >  > known-good input.  Attempting to filter against a list of bad 
> > > characters has
> > >  > historically proven itself futile.  Rewrite your function to only 
> > > allow the
> > >  > characters that your application expects.
> > >  >
> > >  > -Jeff
> > >
> > > Actually I always use your recommended whitelist approach. but since 
> > > this filter function is part of a review I'm doing at the moment, I 
> > > was asking the question about a possible SQL injection attack.
> > >
> > >
> > > Pete Pinter wrote:
> > >  > Won't hex encoded strings get through? You might want to check out 
> > > this
> > >  > link:
> > >  >
> > >  > http://www.securityfocus.com/infocus/1768
> > >  >
> > >  > Cheers,
> > >  > /p2
> > >
> > > As I can see hexencoded strings will also be filtered by the function 
> > > mysql_escape_string(). For example %27 will be converted into the 
> > > ASCII-character ' and then it will be escaped by \ resulting it into 
> > > \'. So hexencoded strings can't bypass this filter, can they?
> > >
> > > Greetings
> > >
> > >
> > > Koen Bossaert wrote:
> > > > You probably also don't want * and %.
> > > > You can also make use of prepared statements or stored procedures
> > > > against SQL Injection.
> > > >
> > > > Regards,
> > > > Koen
> > > >
> > > > On 2/7/07, Kellox <kellox () mymail ch> wrote:
> > > > > hi everyone!
> > > > >
> > > > > i was just wondering if this filter function written in php is safe 
> > > > > against
> > > > > sql injections:
> > > > >
> > > > > function filter($string) {
> > > > >   $replace = "";
> > > > >   $search = array(">", "<", "|", ";");
> > > > >   $result = mysql_escape_string( str_replace($search, $replace, 
> > > > > $string));
> > > > >   return $result;
> > > > > }
> > > > >
> > > > > or could anyone imagine an sql injection attack which bypasses this 
> > > > > filter
> > > > > function?
> > > > > ___________________________________________________________________________