Relatively simple PHP function to block sql injection

Relatively simple PHP function to block sql injection

am 05.08.2009 06:57:30 von Jacob Kruger

Haven't gotten around to really looking for this too much, and currently
really only replace any single 's with double ones before performing an
insert into MySQL, but was just wondering if there are any 'standard' PHP
functions out there that get used to block any form of attempted sql
injection?

TIA

Jacob Kruger
Blind Biker
Skype: BlindZA
'...fate had broken his body, but not his spirit...'


__________ Information from ESET NOD32 Antivirus, version of virus signature database 4306 (20090804) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com




--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Relatively simple PHP function to block sql injection

am 05.08.2009 07:37:12 von Niel Archer

> Haven't gotten around to really looking for this too much, and currently
> really only replace any single 's with double ones before performing an
> insert into MySQL, but was just wondering if there are any 'standard' PHP
> functions out there that get used to block any form of attempted sql
> injection?
>
> TIA

If you search the PHP Db list archives you'll find this question comes
up regularly, with the answers.

>
> Jacob Kruger
> Blind Biker
> Skype: BlindZA
> '...fate had broken his body, but not his spirit...'


--
Niel Archer



--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: Relatively simple PHP function to block sql injection

am 05.08.2009 07:40:36 von Louis Solomon

bXlzcWxfcmVhbF9lc2NhcGVfc3RyaW5nKCkgLyBteXNxbGlfcmVhbF9lc2Nh cGVfc3RyaW5nKCkN
Cg0KTG91aXMgU29sb21vbg0Kd3d3LlN0ZWVsQnl0ZXMuY29tDQoNCi0tLS0t T3JpZ2luYWwgTWVz
c2FnZS0tLS0tDQpGcm9tOiBKYWNvYiBLcnVnZXIgW21haWx0bzpqYWNvYmtA bWFpbHpvbmUuY28u
emFdIA0KU2VudDogV2VkbmVzZGF5LCA1IEF1Z3VzdCAyMDA5IDI6NTggUE0N ClRvOiBwaHAtd2lu
ZG93c0BsaXN0cy5waHAubmV0DQpTdWJqZWN0OiBbUEhQLVdJTl0gUmVsYXRp dmVseSBzaW1wbGUg
UEhQIGZ1bmN0aW9uIHRvIGJsb2NrIHNxbCBpbmplY3Rpb24NCg0KSGF2ZW4n dCBnb3R0ZW4gYXJv
dW5kIHRvIHJlYWxseSBsb29raW5nIGZvciB0aGlzIHRvbyBtdWNoLCBhbmQg Y3VycmVudGx5IA0K
cmVhbGx5IG9ubHkgcmVwbGFjZSBhbnkgc2luZ2xlICdzIHdpdGggZG91Ymxl IG9uZXMgYmVmb3Jl
IHBlcmZvcm1pbmcgYW4gDQppbnNlcnQgaW50byBNeVNRTCwgYnV0IHdhcyBq dXN0IHdvbmRlcmlu
ZyBpZiB0aGVyZSBhcmUgYW55ICdzdGFuZGFyZCcgUEhQIA0KZnVuY3Rpb25z IG91dCB0aGVyZSB0
aGF0IGdldCB1c2VkIHRvIGJsb2NrIGFueSBmb3JtIG9mIGF0dGVtcHRlZCBz cWwgDQppbmplY3Rp
b24/DQoNClRJQQ0KDQpKYWNvYiBLcnVnZXINCkJsaW5kIEJpa2VyDQpTa3lw ZTogQmxpbmRaQQ0K
Jy4uLmZhdGUgaGFkIGJyb2tlbiBoaXMgYm9keSwgYnV0IG5vdCBoaXMgc3Bp cml0Li4uJw0KDQoN
Cl9fX19fX19fX18gSW5mb3JtYXRpb24gZnJvbSBFU0VUIE5PRDMyIEFudGl2 aXJ1cywgdmVyc2lv
biBvZiB2aXJ1cyBzaWduYXR1cmUgZGF0YWJhc2UgNDMwNiAoMjAwOTA4MDQp IF9fX19fX19fX18N
Cg0KVGhlIG1lc3NhZ2Ugd2FzIGNoZWNrZWQgYnkgRVNFVCBOT0QzMiBBbnRp dmlydXMuDQoNCmh0
dHA6Ly93d3cuZXNldC5jb20NCg0KDQoNCg0KLS0gDQpQSFAgV2luZG93cyBN YWlsaW5nIExpc3Qg
KGh0dHA6Ly93d3cucGhwLm5ldC8pDQpUbyB1bnN1YnNjcmliZSwgdmlzaXQ6 IGh0dHA6Ly93d3cu
cGhwLm5ldC91bnN1Yi5waHANCg0K

Re: Relatively simple PHP function to block sql injection

am 05.08.2009 15:21:50 von Jacob Kruger

Ok, now got this from w3schools.com:

function check_input($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
if (!is_numeric($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}

Will test it a bit, and see how it goes, but basically makes sense.

Stay well

Jacob Kruger
Blind Biker
Skype: BlindZA
'...fate had broken his body, but not his spirit...'

----- Original Message -----
From: "Louis Solomon"
To:
Sent: Wednesday, August 05, 2009 7:40 AM
Subject: RE: [PHP-WIN] Relatively simple PHP function to block sql injection


> mysql_real_escape_string() / mysqli_real_escape_string()
>
> Louis Solomon
> www.SteelBytes.com
>
> -----Original Message-----
> From: Jacob Kruger [mailto:jacobk@mailzone.co.za]
> Sent: Wednesday, 5 August 2009 2:58 PM
> To: php-windows@lists.php.net
> Subject: [PHP-WIN] Relatively simple PHP function to block sql injection
>
> Haven't gotten around to really looking for this too much, and currently
> really only replace any single 's with double ones before performing an
> insert into MySQL, but was just wondering if there are any 'standard' PHP
> functions out there that get used to block any form of attempted sql
> injection?
>
> TIA
>
> Jacob Kruger
> Blind Biker
> Skype: BlindZA
> '...fate had broken his body, but not his spirit...'
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus
> signature database 4306 (20090804) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
>
> --
> PHP Windows Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4307 (20090805) __________

The message was checked by ESET NOD32 Antivirus.

http://


__________ Information from ESET NOD32 Antivirus, version of virus signature database 4307 (20090805) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com




--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Relatively simple PHP function to block sql injection

am 21.08.2009 16:42:32 von klaus triendl

""Jacob Kruger"" schrieb im Newsbeitrag
news:000301ca15cf$b71e72c0$6401a8c0@spaceque1d2a04...
> Ok, now got this from w3schools.com:
>
> function check_input($value)
> {
> // Stripslashes
> if (get_magic_quotes_gpc())
> {
> $value = stripslashes($value);
> }
> // Quote if not a number
> if (!is_numeric($value))
> {
> $value = "'" . mysql_real_escape_string($value) . "'";
> }
> return $value;
> }
>
> Will test it a bit, and see how it goes, but basically makes sense.

A better name for this function would be e.g. ensure_escaped_string.

Additionally, the function assumes that you pass it an already quoted value
if get_magic_quotes_gpc() == true.
I think it is better to separate the unquoting and factor it out into a
separate function, unquoting all superglobal arrays that can contain quoted
values ($_POST, $_GET, $_COOKIE).
This is what I do in my scripts - you can be sure at any place you use the
function that the value passed is definitely unquoted.


Klaus Triendl



--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php