Is this good enough to prevent SQLi

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
synical21
Forum Contributor
Posts: 150
Joined: Tue Jul 28, 2009 8:44 am
Location: London UK

Is this good enough to prevent SQLi

Post by synical21 »

Hey gurus as my host wont turn off maigic quotes on the server i can not use mysql real escape string, so i am using this function to try avoid the slashes on a sign up form.

Code: Select all

 
//Function definition
function onlyLetters($str){
   $text = str_replace("\n", "xyxy", $str);
   $pattern = '/[^0-9a-zA-Z-. "]*/';
   $text = preg_replace($pattern, '', $text);
   return str_replace("xyxy", "<br />\n", $text);
}
function onlyNumbers($str){
        $pattern = '/[^0-9.]*/';
        return preg_replace($pattern, '', $str);
}
 
$md5user =onlyLetters(md5($_POST['user_name']));
 
Is this method effective or not? If not i would apreciate any touch ups or ideas.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Is this good enough to prevent SQLi

Post by jackpf »

Why can't you use mysql_real_escape_string?
User avatar
BlaineSch
Forum Commoner
Posts: 28
Joined: Sun Jun 07, 2009 4:28 pm
Location: Trapped in my own little world.

Re: Is this good enough to prevent SQLi

Post by BlaineSch »

synical21 wrote:Hey gurus as my host wont turn off maigic quotes on the server i can not use mysql real escape string, so i am using this function to try avoid the slashes on a sign up form.

Code: Select all

 
//Function definition
function onlyLetters($str){
   $text = str_replace("\n", "xyxy", $str);
   $pattern = '/[^0-9a-zA-Z-. "]*/';
   $text = preg_replace($pattern, '', $text);
   return str_replace("xyxy", "<br />\n", $text);
}
function onlyNumbers($str){
        $pattern = '/[^0-9.]*/';
        return preg_replace($pattern, '', $str);
}
 
$md5user =onlyLetters(md5($_POST['user_name']));
 
Is this method effective or not? If not i would apreciate any touch ups or ideas.
No, you should apply any regex BEFORE you md5 it. Once it's md5 it will definitely only be alpha numeric with no spaces or anything, that's the only thing md5 will replace... so basically your onlyLetters(md5()) is just taking longer because you do a regex that does nothing.
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: Is this good enough to prevent SQLi

Post by AbraCadaver »

jackpf wrote:Why can't you use mysql_real_escape_string?
Yeah, why the hell not? I do all the time.

Code: Select all

if(get_magic_quotes_gpc()){
   $string = stripslashes($string);
}
$string = mysql_real_escape_string($string);
 
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
synical21
Forum Contributor
Posts: 150
Joined: Tue Jul 28, 2009 8:44 am
Location: London UK

Re: Is this good enough to prevent SQLi

Post by synical21 »

I didnt use mysql_real_escape_string because the slashes in the database were annoying the hell out of me. Now looking at the stripslashes solution ill happily use mysql_real_escape_string makes my life alot easier :P
synical21
Forum Contributor
Posts: 150
Joined: Tue Jul 28, 2009 8:44 am
Location: London UK

Re: Is this good enough to prevent SQLi

Post by synical21 »

I have tried this:

Code: Select all

 
$usr_email = mysql_real_escape_string(stripslashes($_POST['usr_email']));
 
The slashes are gone now but the ' still remains when i checked the DB record, does mysql_real_escape_string do that? Im not to sure how it works but i thought it would delete illegal characters such as '.
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: Is this good enough to prevent SQLi

Post by AbraCadaver »

synical21 wrote:I have tried this:

Code: Select all

 
$usr_email = mysql_real_escape_string(stripslashes($_POST['usr_email']));
 
The slashes are gone now but the ' still remains when i checked the DB record, does mysql_real_escape_string do that? Im not to sure how it works but i thought it would delete illegal characters such as '.
Why is that an illegal character? If you don't want ' I hope none of your fields contain text, because ' is used very frequently in text.
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
synical21
Forum Contributor
Posts: 150
Joined: Tue Jul 28, 2009 8:44 am
Location: London UK

Re: Is this good enough to prevent SQLi

Post by synical21 »

Oh yeah good point lol i wasnt thinking at all about the user, i was just thinking about how some people use ' in sql injections my bad lol. Looks like it is fixed then, thanks for your help all :drunk:
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Is this good enough to prevent SQLi

Post by pickle »

mysql_real_escape_string() adds slashes in front of bad characters such as '. Those slashes don't get stored however, so the contents of the field is the same as the value before being run through mysql_real_escape_string(). The purpose is not to modify the value inserted into the database, but to allow any value to be safely inserted into the database.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
synical21
Forum Contributor
Posts: 150
Joined: Tue Jul 28, 2009 8:44 am
Location: London UK

Re: Is this good enough to prevent SQLi

Post by synical21 »

Thank you for clearing that up, now i understand how it works :)
Post Reply