Hi everyone,
I recently launched a website, and it took my friend a little over three hours to inject SQL into it. While this guy is a professional programmer and knows more than your typical 14 year old 1337 haxx0r, I'm a little bit dissappointed with the result. So I had an idea. Where do 99.9% of sql injections come from? GET and POST, right? What if there were a function that would use regex to test for a mysql query that is being passed through those channels? It wouldn't even be that hard right? Test for a few of the common MySQL keywords (SELECT, DELETE, DROP, WHERE, maybe the backticks, etc.). If it finds something, it just silently unsets the variable (or array element), and continues execution of the script. Run that function in every script (I have a central include file, so putting that in would be a matter of seconds)...I'm just curious as to what you think about this idea, what I should consider, etc.
Cheers!
A function testing for SQL injection?
Moderator: General Moderators
- evilmonkey
- Forum Regular
- Posts: 823
- Joined: Sun Oct 06, 2002 1:24 pm
- Location: Toronto, Canada
- evilmonkey
- Forum Regular
- Posts: 823
- Joined: Sun Oct 06, 2002 1:24 pm
- Location: Toronto, Canada
Would that include integers? My problem is that if my query looks something like this:Nathaniel wrote:Nah, you're really overcomplicating things. Just run mysql_real_escape_string (or other appropriate function for your DB) on ALL foreign input, and you're set.
Code: Select all
SELECT * FROM `table` WHERE `id`=$id- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
You could always quote it and escape it as if it was a string or force it to an integer with intval(), however, I still pass everything through mysql_real_escape_string() it's easier to blanket the whole lot than pick and choose which ones to escape and which to not.
- evilmonkey
- Forum Regular
- Posts: 823
- Joined: Sun Oct 06, 2002 1:24 pm
- Location: Toronto, Canada
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
I filter all input with either:
Then use the database specific escaping function for every var that goes into SQL and htmentities() any var that goes to HTML/XML
Code: Select all
// (int) does the same as intval() with no function call
$myvar = (int)$_REQUEST['myvar'];
// or to allow only specific characters
$myvar = preg_replace('/[^a-zA-Z0-9\-\_]/', '', i$_REQUEST['myvar']);(#10850)