Page 1 of 1

SQL Injection

Posted: Tue Feb 10, 2015 8:03 am
by gotornot
Hi

I am really struggling here i want this to check for fobidden words in an effort to stop sql injection.
I cant seem to get it to work :(

Code: Select all

function secureit()
    {
    global $items_check;
    $unallowed = array('href', 'www', 'UPDATE', 'INSERT', 'DELETE', 'SET', 'OFFSET', 'ORDER BY', 'union', 'UPDATE', 'DROP TABLE', 'CREATE TABLE');
    foreach($unallowed as $field) {
        if(stristr($items_check, $field) == TRUE) {
            $mess = 'NO Thanks "'.$items_check .'" is forbidden content!';
            return $action = "0";
            }
        }
    }
The idea is that it checks the $items_check against a list of banned words if it finds one it doesnt allow the remaining script to execute.

Re: SQL Injection

Posted: Tue Feb 10, 2015 8:08 am
by Celauran
stristr doesn't return true

More importantly, you want to be using prepared statements to avoid SQL injection.

Re: SQL Injection

Posted: Tue Feb 10, 2015 8:12 am
by gotornot
i dont understand what you mean why wouldnt it return true??

Re: SQL Injection

Posted: Wed Feb 11, 2015 6:56 am
by Strider64
First like stated you should be using prepared statements either in mysqli or PDO (My Recommendation). http://php.net/manual/en/pdo.prepare.php

Second, avoid using global variables as much as possible (global $items_check).

Third if I were going to write a function like the one you wrote (I wouldn't), I would do something like the following:

Code: Select all

<?php

function checkIt($item_check) {
	$unallowed = array('href', 'www', 'UPDATE', 'INSERT', 'DELETE', 'SET', 'OFFSET', 'ORDER BY', 'union', 'UPDATE', 'DROP TABLE', 'CREATE TABLE');
	if ( in_array($item_check, $unallowed) ) {
		return "Item is not allowed";
	}
}

$status = checkIt("UPDATE");

if ($status) {
	echo $status . "<br>\n";
}