A function testing for SQL injection?

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

A function testing for SQL injection?

Post by evilmonkey »

Hi everyone,

I recently launched a website, and it took my friend a little over three hours to inject SQL into it. While this guy is a professional programmer and knows more than your typical 14 year old 1337 haxx0r, I'm a little bit dissappointed with the result. So I had an idea. Where do 99.9% of sql injections come from? GET and POST, right? What if there were a function that would use regex to test for a mysql query that is being passed through those channels? It wouldn't even be that hard right? Test for a few of the common MySQL keywords (SELECT, DELETE, DROP, WHERE, maybe the backticks, etc.). If it finds something, it just silently unsets the variable (or array element), and continues execution of the script. Run that function in every script (I have a central include file, so putting that in would be a matter of seconds)...I'm just curious as to what you think about this idea, what I should consider, etc.

Cheers!
User avatar
Nathaniel
Forum Contributor
Posts: 396
Joined: Wed Aug 31, 2005 5:58 pm
Location: Arkansas, USA

Post by Nathaniel »

Nah, you're really overcomplicating things. Just run mysql_real_escape_string (or other appropriate function for your DB) on ALL foreign input, and you're set.

It's good to have a database wrapper (search for this if you don't know what it is) to automate the process.
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

Nathaniel wrote:Nah, you're really overcomplicating things. Just run mysql_real_escape_string (or other appropriate function for your DB) on ALL foreign input, and you're set.
Would that include integers? My problem is that if my query looks something like this:

Code: Select all

SELECT * FROM `table` WHERE `id`=$id
and $id is suppossed to be an integer (no quotes around it), it'll crash if a string comes in...
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You could always quote it and escape it as if it was a string or force it to an integer with intval(), however, I still pass everything through mysql_real_escape_string() it's easier to blanket the whole lot than pick and choose which ones to escape and which to not.
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

Alright thanks guys...I guess I'll secure the site through mysql_real_escape_string(). ASll the strings are secured through that, now I just have to take care of the integer input. Thanks. :)
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

I filter all input with either:

Code: Select all

// (int) does the same as intval() with no function call
$myvar = (int)$_REQUEST['myvar'];
// or to allow only specific characters
$myvar = preg_replace('/[^a-zA-Z0-9\-\_]/', '', i$_REQUEST['myvar']);
Then use the database specific escaping function for every var that goes into SQL and htmentities() any var that goes to HTML/XML
(#10850)
Post Reply