Security Basics mailing list archives
Re: PHP filter function against SQL injections
From: jeffrey rivero <jeffr76 () yahoo com>
Date: Fri, 09 Feb 2007 09:19:37 -0500
what if a must be an integer and not a string ? Kellox wrote:
well, that does only work if the variable is not included between two single quotes.consider $sSql .= " where a = ". '$var';in your code snippet. if you would inject or 1=1 in this case, the string would bewhere a = 'or 1=1', which actually is a string but not a sql command. jeffrey rivero wrote:Hello Good Questions ok for the1.Single and double-quotes will be escaped by the function call mysql_escape_string(). yep but what i am passing does not have " or ' in them think more like or 1 = 1 and assume that your var is a numberso the injections would look like $sSql = "select a,b,c "; $sSql .= "from Table_1"; $sSql .= " where a = ".$var; now if $var was lets say "1 or 1 = 1" your resulting injection string would be select a,b,c from Table_1 where a = 1 or 1 = 1 which might now be what you want 2. union injection ?? 3. not sure will a post command still do a url encode ?? anyone ? Kellox wrote:Hi Thx for your information so far. Jeffrey Rivero wrote: > how about something like > " or 1 = 1" > ??Single and double-quotes will be escaped by the function call mysql_escape_string().jeff () downtowndevelopmentplan com wrote:> Don't forget that the best way to sanitize incoming data is to only allow > known-good input. Attempting to filter against a list of bad characters has > historically proven itself futile. Rewrite your function to only allow the> characters that your application expects. > > -JeffActually I always use your recommended whitelist approach. but since this filter function is part of a review I'm doing at the moment, I was asking the question about a possible SQL injection attack.Pete Pinter wrote:> Won't hex encoded strings get through? You might want to check out this> link: > > http://www.securityfocus.com/infocus/1768 > > Cheers, > /p2As I can see hexencoded strings will also be filtered by the function mysql_escape_string(). For example %27 will be converted into the ASCII-character ' and then it will be escaped by \ resulting it into \'. So hexencoded strings can't bypass this filter, can they?Greetings Koen Bossaert wrote:You probably also don't want * and %. You can also make use of prepared statements or stored procedures against SQL Injection. Regards, Koen On 2/7/07, Kellox <kellox () mymail ch> wrote:hi everyone!i was just wondering if this filter function written in php is safe againstsql injections: function filter($string) { $replace = ""; $search = array(">", "<", "|", ";");$result = mysql_escape_string( str_replace($search, $replace, $string));return $result; }or could anyone imagine an sql injection attack which bypasses this filterfunction?___________________________________________________________________________
Current thread:
- PHP filter function against SQL injections Kellox (Feb 07)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 07)
- Re: PHP filter function against SQL injections jeff (Feb 07)
- Re: PHP filter function against SQL injections Koen Bossaert (Feb 08)
- Re: PHP filter function against SQL injections Kellox (Feb 08)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 08)
- Re: PHP filter function against SQL injections Terra Frost (Feb 09)
- Message not available
- Re: PHP filter function against SQL injections Terra Frost (Feb 12)
- Re: PHP filter function against SQL injections Kellox (Feb 08)
- Re: PHP filter function against SQL injections Kellox (Feb 09)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 09)
- Re: PHP filter function against SQL injections Nic Stevens (Feb 12)
- <Possible follow-ups>
- FW: PHP filter function against SQL injections kevin fielder (Feb 08)
- Re: PHP filter function against SQL injections Henry Troup (Feb 12)
- Re: PHP filter function against SQL injections Henry Troup (Feb 13)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 14)
- RE: PHP filter function against SQL injections Dan Anderson (Feb 19)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 14)
- Re: Re: PHP filter function against SQL injections ianbow (Feb 14)