(Basic Question) PHP Injection?
Posted: Tue Aug 25, 2009 11:25 am
Hi I am very new to programming and PHP in general so I apologize in advance if the question is too trivial or obvious.
So the question is how to prevent SQL and PHP injection by validating inputs. Now it is pretty simple for me to construct input validator:
Now the question is what stops some creative input for $intSent for example something like
now, evil input has been returned. Is this impossible in PHP due to PHP only interpreting one line? Also are there any serious problems with my whitelist/code? What stops hackers from inserting tons of lines of code, merely the fact that PHP interprets only one line per expression or the fact your code is secret? Also I see several potential casting problems. Should I enclose the casts in some kind of exception handling in case they fail? Again sorry if they seem so trivial. Thanks.
So the question is how to prevent SQL and PHP injection by validating inputs. Now it is pretty simple for me to construct input validator:
Code: Select all
<?php
/*
Input Cleaning
Returns clean input
*/
// CLEAN INTEGERS
function inputVerifyIntegers($intSent,$numDigits) {
$intCheck1 = (string)substr(htmlentities($intSent,ENT_QUOTES),0,$numDigits);
return (integer)preg_replace('/[^0123456789]*/','',$intCheck1);
}
// CLEAN ALPHANUMERIC
function inputVerifyAlpha($alphaSent,$numLetters) {
$alphaCheck1 = (string)substr(htmlentities($alphaSent,ENT_QUOTES),0,$numLetters);
return (string)preg_replace('/[^0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ]*/','',$alphaCheck1);
}
?>
Code: Select all
){}function evil(){return evilValue;}function($e