[56K WARN (page 2)] Newbie needs help on SQL injection

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

few functions behaviors: :roll:

Code: Select all

$str1 = "234324";
$str2 = "sdf23dsf";
echo gettype($str1)."<br />".gettype($str2)."<br />";//returns both as string
echo gettype(intval($str1))."<br />".gettype(intval($str2))."<br />";//returns both as integer
echo is_numeric($str1)."<br />".is_numeric($str2)."<br />";//returns 1 for the first one
sleazyfrank
Forum Commoner
Posts: 40
Joined: Fri Aug 19, 2005 3:59 am
Location: Horsham, West Sussex

Post by sleazyfrank »

patrikG wrote:
Unless it covers object oriented programming in good detail, I don't think any beginner's PHP book is worth looking at. I usually recommend Harry Fuecks "PHP Anthology".

Yup. And I used to work in Horsham for a couple of months some time ago... We always went to the Malt & Shovel :)
You're kidding? The guys name is Fuecks?! The Malt & Shovel - Springfield Road? Near the cross roads?

cheers frank
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

To all but the first question: yes ;)

Malt & Shovel was a bit too pricy on Hoegaarden...
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Cheers... Belgians sure know how to make beer ;)

Image
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

yup! But they either sell it to expensively or the UK government (as usual) slaps 400% import duty on it... Being asked close to 3 squid for a pint is daylight robbery. But alas, every now and then, I nice pint of Hoegaarden... <slurp>
User avatar
AnarKy
Forum Contributor
Posts: 119
Joined: Tue Nov 02, 2004 1:49 am
Location: South Africa

I never saw the fascination for that bitter stuff

Post by AnarKy »

I never saw the fascination for that bitter stuff,
Can handle it though… just hate the taste…
sleazyfrank
Forum Commoner
Posts: 40
Joined: Fri Aug 19, 2005 3:59 am
Location: Horsham, West Sussex

Post by sleazyfrank »

Hi all - I'm trying to use this:

function filterBadWords($string){
return preg_replace("/[drop|insert|delete|;|--]/", "", $string);
}

to remove any illegal or unwanted words and characters. I'm trying to put up some lines of defence against sql injection. But I'm getting this error:

Warning: Compilation failed: range out of order in character class at offset 23 in /mydirectory/bookcourse.php on line 290

Erm... any ideas what this means?

thanks

frank
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

remove the square brackets, those are used as a character class; i.e. anything inside is considered an unordered list of acceptable characters for the match. The error is due to your usage of --, the minus symbol is a metacharacter in character classes.
sleazyfrank
Forum Commoner
Posts: 40
Joined: Fri Aug 19, 2005 3:59 am
Location: Horsham, West Sussex

Post by sleazyfrank »

feyd wrote: The error is due to your usage of --, the minus symbol is a metacharacter in character classes.
Hi - cheers for that - I'm only on week 2 of php so learning lots as I go; but I've read that -- is used in sql injection attacks?
I'm also using
function filterAlphanumeric($string){
return preg_replace("/[^a-zA-Z0-9]/", "", $string);
}
so will that take care of the dreaded --?

thanks for helping a php noob!

frank
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

yes, it will.
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

but only if you start using

Code: Select all

tags around your code, sleazyfrank.
sleazyfrank
Forum Commoner
Posts: 40
Joined: Fri Aug 19, 2005 3:59 am
Location: Horsham, West Sussex

Post by sleazyfrank »

Erm... I use <?php ?> unless that's an inbuilt php dev joke? :oops:

frank
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

You posted
function filterAlphanumeric($string){
return preg_replace("/[^a-zA-Z0-9]/", "", $string);
}
If you surround this with

Code: Select all

 [/php ]-tags (without the spaces in the brackets)

you will end up with code-highlighting

[syntax=php]function filterAlphanumeric($string){
return preg_replace("/[^a-zA-Z0-9]/", "", $string);
}[/syntax]
sleazyfrank
Forum Commoner
Posts: 40
Joined: Fri Aug 19, 2005 3:59 am
Location: Horsham, West Sussex

I am sleazyfrank - easily confused....

Post by sleazyfrank »

D'oh. But I gotta tell ya, I'm loving php and mysql a billion times better than asp and micro$oft sql serv. It's very actionscript-esque in it's approach.

Code: Select all

Here's how I should have done it!
frank
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

Code: Select all

Yup
Post Reply