Your Thoughts on an Anti-Injection SQL Generating Script.

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Also got a headache from reading some of this thread:P

To the OP: You've asked for opinions, so others have given them. When asking for code reviews (which is what I thought you were asking for as well) you are going to get negative feedback.. always. This is not a personal attack, it is feedback.. pointers to where things can be improved, or to items you may have missed.

It can be difficult not to, but don't take it personally :)
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

erm, wtf is that?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

malcolmboston wrote:erm, wtf is that?
It's a puzzle

Spam is an unsolicited advertisement in my opinion. That message was a puzzle for the intelligent individual who started this post. I'm sorry you feel that way, but it wasn't addressed to you.
Last edited by Benjamin on Fri Feb 10, 2006 9:02 am, edited 1 time in total.
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

looks more like spam to me, please do not do it
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

Stop the meta-discussion, get back on topic.

Nobody is interested in meta-discussions unless directly involved.

The topic is "Anti SQL Injection scripts", not "I'm holier than thou".
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

There are a few ways of generating SQL. Might be worth a look to read up on the Data Access and ActiveRecord patterns in PHP. Might provide some inspiration if you're out to have developers not have to use SQL queries directly.
My questions are; has this kind of thing been done before, like this? Would anyone be interested in using such a script? What kind of features would you like to see?
DataAccess, ActiveRecord. Similar in aims. To comment on prior replies both of these patterns aim to generate SQL on the fly (in many cases - not all, some use pre-set SQL statements), afterwhich it will be executed. Its a two step process. ADOdb is useful for step 2 - execution, and not step 1. Step 1 is a completely separate process.

DataAccess and ActiveRecord are design patterns - google around to find examples and more information. Another google topic is ORM or Object Relational Mapping. You may not be at the OOP stage yet in learning PHP but they're still useful topics to at least be aware of.

Such scripts are used. Removing the SQL from needed developer experience lowers the entry barrier to developing an application. It does come with a price though, it can be restrictive and limit the possibility of performing Joins depending on the implementation.

Feature most developers would like to see would be data escaping. mysql_real_escape_string() at a minimum, or any of its clones for other DBMS's like pg_escape_string for PostgreSQL, etc. These are commonly available and even required by most modern PHP applications - legacy PHP versions excluded.

Filtering data is probably not all that liked in an SQL class of any kind. One would assume that's being done long before you get around to using a SQL query... INSERT/FROM filtering is likewise debatable - does mysql_query allow multiple SQL queries in a single call?
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

Thanks for all of the input, especially from Roja and Maugrim_The_Reaper.

feyd and jshpro2, I apologize for how I have been acting. I tend to be extremely defensive and sharp with people. So, again, I apologize.

feyd:
So here are the answers:
Yes, there are many database abstraction layers around. ADOdb is probably the most famous for PHP.
I don't see the point of using your script over the something as feature rich and heavily used ADOdb. Maybe you could shed some light.
I don't particularly like the entire query being generated for me, as it can be mildly unpredictable. So I can't really think of anything at the moment.
I haven't been doing this for very long, I don't know what a database abstraction layer is, to be honest.

I usually write everything I need myself. I don't always have the patience to search for things, and it is not always easy for me to find something to fit my needs. I regularly make simple pages and databases for things like news, members, and other tedious things. I don't want to have to remember and write the same code 10,000 times for similar jobs and I'm sure there are other people who don't either.

This script really is designed for simple things like the ones mentioned above, insteading of writing the same 10 lines over and over you can initialize a class and call a function.

Roja:

The script is currently more a concept than a script. I'm still deciding how different things are going to work.

I tried to elaborate on it's purpose with what I wrote to feyd. It's not meant to be an end-all solution to SQL vulnerabilities. I know I've mislead alot of people with the thread's title. Off the top of my head, the two main points of this program are; SQL generation and then execution, and injection prevention. If I wrote a script to handle SQL and didn't provide some kind of protection against injection, I would be a crappy developer.

I would appreciate it if people would keep in mind my experience level as well, I have scripted for games like Morrowind and Neverwinter Nights before PHP and just recently moved into web technologies, I did ASP/VBscript for two months, and PHP for around one month. There are alot of things that have been mentioned in this thread that I have no previous knowledge of.

Other than what I have read, I do not know much about mysql_real_escape_string or data escaping. Whether mysql_real_escape_string works or not, there are still reasons I see to not use it.

Software changes. Sure, it works fine now but it might not later. I would rather have a script sitting around that I can fix in 5 minutes, then wait for PHP to be updated. At my job, time is something I normally don't have.

It may not be a great reason to have protection beyond mysql_real_escape_string() but the truth is, you can almost never have too much security. Too much security would be a chastity belt.
To be honest, you haven't explained what your script does in specific enough detail. As a general statement, I would trust a script written with clear purpose, by an established coder, and widely distributed more. Thats not to say you can't fit all three in time, I'm just clarifying *my* criteria for interest, since you asked
Ha, I can't fit into all three right now but it's okay because I am trying to get on my feet. Truthfully I usually keep to myself and my closest friends. This is the first forum I have posted on in upwards of 4 years.

I see people making this script out to be more complicated than I intended it to be in the first place. I am hoping that everyone is beginning to understand what this script is intended to do and what it isn't.

Maugrim:

I appreciate your input but most paragraphs, I finished only to hear a swooshing sound above my head.
You may not be at the OOP stage yet in learning PHP
I'm guessing no.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

Other than what I have read, I do not know much about mysql_real_escape_string or data escaping. Whether mysql_real_escape_string works or not, there are still reasons I see to not use it.
I can't help you with your code - i'll leave that to the experts here - but I can recommend reading more on http://phpsec.org/, specifically http://phpsec.org/projects/guide/. Or take a look at Chris Shiflett's book and site http://shiflett.org/ for a lot of solid information about php security in general and mysql injection prevention specifically.

I find the security section on this forum an excellent place to find more info and answers as well.
Post Reply