parseQuery function..

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

parseQuery function..

Post by Jenk »

I knocked up a Query parsing method, and would like people to pick at it to see if I have missed any potential loopholes :)

Code: Select all

public function parseQuery ()
{
    $count = func_num_args();
    $str = func_get_arg(0);

    if ($count > 1) {
        for ($i = 1; $i < $count; $i++) {
           
            if ((strval(intval(func_get_arg($i))) === strval(func_get_arg($i)))
                || (strval(floatval(func_get_arg($i))) === strval(func_get_arg($i)))) {
                $pat = mysql_real_escape_string(func_get_arg($i), $this->link);
            } else {
                $pat = "'" . mysql_real_escape_string(func_get_arg($i), $this->link) . "'";
            }
               
            $str = str_replace(':' . $i, $pat, $str);
        }
    }
       
    $this->query = $str;
}
Usage:

Code: Select all

$db->parseQuery('SELECT * FROM `table` WHERE `col` = :1 AND `col2` = :2', $val1, $val2);
Or you can still run a straight query in a single string arg, but are left to your own devices for escaping etc.

TIA :)

EDIT: Whoops.. should be in Security, sorry.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

  • reformatted (1 tab = 4 spaces) because it didn't fit into 1024x768 screen resolution
  • moved to PHP - Security
  • Code: Select all

    if ((strval(intval(func_get_arg($i))) === strval(func_get_arg($i)))
                    || (strval(floatval(func_get_arg($i))) === strval(func_get_arg($i))))
    could be replaced with

    Code: Select all

    if(is_numeric(func_get_arg($i)))
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

I was reading the notes on php.net for is_numeric, and it apparently has issues with numbers > 16 chars' so I opted for the above instead :)

Thanks for moving.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

hmm... from my reading it's :
What that means is that, for each string with more than 308 characters...
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Seems that this function can only verify numbers up to 16 digits long. Eg:

1111111111111111111

A 19-digit number will return false.
Is what I read (past tense.. not being anal :).)

Also,
is_numeric("1,000") = F
is_numeric("1e2") = T
is_numeric("-1e-2") = T
is_numeric("1e2.3") = F
is_numeric("1.") = T
is_numeric("1.2") = T
is_numeric("1.2.3") = F
is_numeric("-1") = T
is_numeric("- 1") = F
is_numeric("--1") = F
is_numeric("1-") = F
is_numeric("1A") = F
is_numeric(" 1") = T
is_numeric("1 ") = F
Would MySQL handle entries such as 1e2 in the same fashion?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Would MySQL handle entries such as 1e2 in the same fashion?
Of course, MySQL supports scientific notation.
Post Reply