Page 1 of 1

Is this good enough to prevent SQLi

Posted: Tue Dec 08, 2009 10:51 am
by synical21
Hey gurus as my host wont turn off maigic quotes on the server i can not use mysql real escape string, so i am using this function to try avoid the slashes on a sign up form.

Code: Select all

 
//Function definition
function onlyLetters($str){
   $text = str_replace("\n", "xyxy", $str);
   $pattern = '/[^0-9a-zA-Z-. "]*/';
   $text = preg_replace($pattern, '', $text);
   return str_replace("xyxy", "<br />\n", $text);
}
function onlyNumbers($str){
        $pattern = '/[^0-9.]*/';
        return preg_replace($pattern, '', $str);
}
 
$md5user =onlyLetters(md5($_POST['user_name']));
 
Is this method effective or not? If not i would apreciate any touch ups or ideas.

Re: Is this good enough to prevent SQLi

Posted: Tue Dec 08, 2009 12:23 pm
by jackpf
Why can't you use mysql_real_escape_string?

Re: Is this good enough to prevent SQLi

Posted: Tue Dec 08, 2009 12:28 pm
by BlaineSch
synical21 wrote:Hey gurus as my host wont turn off maigic quotes on the server i can not use mysql real escape string, so i am using this function to try avoid the slashes on a sign up form.

Code: Select all

 
//Function definition
function onlyLetters($str){
   $text = str_replace("\n", "xyxy", $str);
   $pattern = '/[^0-9a-zA-Z-. "]*/';
   $text = preg_replace($pattern, '', $text);
   return str_replace("xyxy", "<br />\n", $text);
}
function onlyNumbers($str){
        $pattern = '/[^0-9.]*/';
        return preg_replace($pattern, '', $str);
}
 
$md5user =onlyLetters(md5($_POST['user_name']));
 
Is this method effective or not? If not i would apreciate any touch ups or ideas.
No, you should apply any regex BEFORE you md5 it. Once it's md5 it will definitely only be alpha numeric with no spaces or anything, that's the only thing md5 will replace... so basically your onlyLetters(md5()) is just taking longer because you do a regex that does nothing.

Re: Is this good enough to prevent SQLi

Posted: Tue Dec 08, 2009 12:32 pm
by AbraCadaver
jackpf wrote:Why can't you use mysql_real_escape_string?
Yeah, why the hell not? I do all the time.

Code: Select all

if(get_magic_quotes_gpc()){
   $string = stripslashes($string);
}
$string = mysql_real_escape_string($string);
 

Re: Is this good enough to prevent SQLi

Posted: Tue Dec 08, 2009 12:37 pm
by synical21
I didnt use mysql_real_escape_string because the slashes in the database were annoying the hell out of me. Now looking at the stripslashes solution ill happily use mysql_real_escape_string makes my life alot easier :P

Re: Is this good enough to prevent SQLi

Posted: Tue Dec 08, 2009 1:11 pm
by synical21
I have tried this:

Code: Select all

 
$usr_email = mysql_real_escape_string(stripslashes($_POST['usr_email']));
 
The slashes are gone now but the ' still remains when i checked the DB record, does mysql_real_escape_string do that? Im not to sure how it works but i thought it would delete illegal characters such as '.

Re: Is this good enough to prevent SQLi

Posted: Tue Dec 08, 2009 1:14 pm
by AbraCadaver
synical21 wrote:I have tried this:

Code: Select all

 
$usr_email = mysql_real_escape_string(stripslashes($_POST['usr_email']));
 
The slashes are gone now but the ' still remains when i checked the DB record, does mysql_real_escape_string do that? Im not to sure how it works but i thought it would delete illegal characters such as '.
Why is that an illegal character? If you don't want ' I hope none of your fields contain text, because ' is used very frequently in text.

Re: Is this good enough to prevent SQLi

Posted: Tue Dec 08, 2009 1:31 pm
by synical21
Oh yeah good point lol i wasnt thinking at all about the user, i was just thinking about how some people use ' in sql injections my bad lol. Looks like it is fixed then, thanks for your help all :drunk:

Re: Is this good enough to prevent SQLi

Posted: Tue Dec 08, 2009 1:48 pm
by pickle
mysql_real_escape_string() adds slashes in front of bad characters such as '. Those slashes don't get stored however, so the contents of the field is the same as the value before being run through mysql_real_escape_string(). The purpose is not to modify the value inserted into the database, but to allow any value to be safely inserted into the database.

Re: Is this good enough to prevent SQLi

Posted: Tue Dec 08, 2009 2:29 pm
by synical21
Thank you for clearing that up, now i understand how it works :)