Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Moderator: General Moderators
Jenk
DevNet Master
Posts: 3587 Joined: Mon Sep 19, 2005 6:24 am
Location: London
Post
by Jenk » Sun Jul 16, 2006 10:42 am
I knocked up a Query parsing method, and would like people to pick at it to see if I have missed any potential loopholes
Code: Select all
public function parseQuery ()
{
$count = func_num_args();
$str = func_get_arg(0);
if ($count > 1) {
for ($i = 1; $i < $count; $i++) {
if ((strval(intval(func_get_arg($i))) === strval(func_get_arg($i)))
|| (strval(floatval(func_get_arg($i))) === strval(func_get_arg($i)))) {
$pat = mysql_real_escape_string(func_get_arg($i), $this->link);
} else {
$pat = "'" . mysql_real_escape_string(func_get_arg($i), $this->link) . "'";
}
$str = str_replace(':' . $i, $pat, $str);
}
}
$this->query = $str;
}
Usage:
Code: Select all
$db->parseQuery('SELECT * FROM `table` WHERE `col` = :1 AND `col2` = :2', $val1, $val2);
Or you can still run a straight query in a single string arg, but are left to your own devices for escaping etc.
TIA
EDIT: Whoops.. should be in Security, sorry.
Weirdan
Moderator
Posts: 5978 Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine
Post
by Weirdan » Sun Jul 16, 2006 11:42 am
reformatted (1 tab = 4 spaces) because it didn't fit into 1024x768 screen resolution
moved to PHP - Security
Code: Select all
if ((strval(intval(func_get_arg($i))) === strval(func_get_arg($i)))
|| (strval(floatval(func_get_arg($i))) === strval(func_get_arg($i))))
could be replaced with
Jenk
DevNet Master
Posts: 3587 Joined: Mon Sep 19, 2005 6:24 am
Location: London
Post
by Jenk » Sun Jul 16, 2006 12:34 pm
I was reading the notes on php.net for is_numeric, and it apparently has issues with numbers > 16 chars' so I opted for the above instead
Thanks for moving.
Weirdan
Moderator
Posts: 5978 Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine
Post
by Weirdan » Sun Jul 16, 2006 12:40 pm
hmm... from my reading it's :
What that means is that, for each string with more than 308 characters...
Jenk
DevNet Master
Posts: 3587 Joined: Mon Sep 19, 2005 6:24 am
Location: London
Post
by Jenk » Sun Jul 16, 2006 7:41 pm
Seems that this function can only verify numbers up to 16 digits long. Eg:
1111111111111111111
A 19-digit number will return false.
Is what I read (past tense.. not being anal
.)
Also,
is_numeric("1,000") = F
is_numeric("1e2") = T
is_numeric("-1e-2") = T
is_numeric("1e2.3") = F
is_numeric("1.") = T
is_numeric("1.2") = T
is_numeric("1.2.3") = F
is_numeric("-1") = T
is_numeric("- 1") = F
is_numeric("--1") = F
is_numeric("1-") = F
is_numeric("1A") = F
is_numeric(" 1") = T
is_numeric("1 ") = F
Would MySQL handle entries such as 1e2 in the same fashion?
Weirdan
Moderator
Posts: 5978 Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine
Post
by Weirdan » Mon Jul 17, 2006 1:29 am
Would MySQL handle entries such as 1e2 in the same fashion?
Of course, MySQL supports scientific notation.