SQL Injection Prevention
Posted: Thu Aug 16, 2007 11:33 pm
Hi guys,
I have listed some points below[Related to SQL Injection Only]
1> Use of only escape string like mysql_real_escape_string() is necessary and sufficient.
2> You should never use htmlentities or htmlspecialchars as these are encodings for a specific document format. You could not do searching or matching on that data and displaying it in any other document format would take extra code, and could not be done directly from the database.
3> Use of trim() may be used if no spaces in beginning or end are required.
4> You should never need to use stripslashes on output from a database. Aside from security, escaping quotes for instance, is solely for the benefit of the SQL parser. This is no different than escaping quotes in PHP strings, in order to not confuse the PHP parser and get an error. If you echo the string, it will not contain the escape characters, they are there solely to tell the parser what language characters are intended to be part of the string, and which ones are to be interpreted as actual code. The SQL parser in a database is no different.
5> Magic quotes and addslashes are vulnerable to character set differences and should not be used. If you can't turn it off, run code to defeat it, which is the proper use of stripslashes.
There are two codes which i found on the forum please compare them and tell which one is better? Looking at only the input data which is sent to db.
What should be the code/precaution when extracting data from db and displaying them. code for them???
All the above and below things are with respect to sql injection.
Please also discuss the above points and let me know if i have something wrong in above 5 points
Code1
why do we have if(get_magic_quotes_gpc($input))
and not if(get_magic_quotes_gpc()) ?
Code 2
[s]Pls[/s] please let me know if the above points i summarized are correct.
I have been on this forum for past 5-6 days and I must say that all your prompt replies with elaborate explanation really helping enthusiasts and increases level of confidence in them. Hats off to you.
Waiting for a reply which covers all my doubts...
If there are some loopholes in the above code then can you tell me the easiest and the most secure code against sql injection.
I have listed some points below[Related to SQL Injection Only]
1> Use of only escape string like mysql_real_escape_string() is necessary and sufficient.
2> You should never use htmlentities or htmlspecialchars as these are encodings for a specific document format. You could not do searching or matching on that data and displaying it in any other document format would take extra code, and could not be done directly from the database.
3> Use of trim() may be used if no spaces in beginning or end are required.
4> You should never need to use stripslashes on output from a database. Aside from security, escaping quotes for instance, is solely for the benefit of the SQL parser. This is no different than escaping quotes in PHP strings, in order to not confuse the PHP parser and get an error. If you echo the string, it will not contain the escape characters, they are there solely to tell the parser what language characters are intended to be part of the string, and which ones are to be interpreted as actual code. The SQL parser in a database is no different.
5> Magic quotes and addslashes are vulnerable to character set differences and should not be used. If you can't turn it off, run code to defeat it, which is the proper use of stripslashes.
There are two codes which i found on the forum please compare them and tell which one is better? Looking at only the input data which is sent to db.
What should be the code/precaution when extracting data from db and displaying them. code for them???
All the above and below things are with respect to sql injection.
Please also discuss the above points and let me know if i have something wrong in above 5 points
Code1
Code: Select all
function cleaner($input)
{
if(is_array($input))
{
$ret = array();
foreach($input as $key=>$value)
{
$ret[$key] = cleaner($value);
}
return $ret;
}
else
{
if(!is_numeric($input))
{
if(get_magic_quotes_gpc($input))
{
$input = stripslashes($input);
}
$input = mysql_real_escape_string($input);
}
return $input;
}
}
$dbData = cleaner($_POST);why do we have if(get_magic_quotes_gpc($input))
and not if(get_magic_quotes_gpc()) ?
Code 2
Code: Select all
function safeEscapeString($string){
if (get_magic_quotes_gpc()) {
$string = stripslashes($string);
//defeating magic quote is required!
return $string;
} else {
return mysql_real_escape_string($string);
}
}
function cleanVar($string){
$string = trim($string);
$string = safeEscapeString($string);
$string = strip_tags($string);
// [b]i think strip_tags should be removed[/b]
return $string;
}
foreach($_POST as $name => $value){
$_POST[$name] = cleanVar($value);
}
foreach($_GET as $name => $value){
$_GET[$name] = cleanVar($value);
}
foreach($_COOKIE as $name => $value){
$_COOKIE[$name] = cleanVar($value);
}
foreach($_REQUEST as $name => $value){
$_REQUEST[$name] = cleanVar($value);
}I have been on this forum for past 5-6 days and I must say that all your prompt replies with elaborate explanation really helping enthusiasts and increases level of confidence in them. Hats off to you.
Waiting for a reply which covers all my doubts...
If there are some loopholes in the above code then can you tell me the easiest and the most secure code against sql injection.
[url=http://forums.devnetwork.net/viewtopic.php?t=30037]Forum Rules[/url] Section 1.1 wrote:11. Please use proper, complete spelling when posting in the forums. AOL Speak, leet speak and other abbreviated wording can confuse those that are trying to help you (or those that you are trying to help). Please keep in mind that there are many people from many countries that use our forums to read, post and learn. They do not always speak English as well as some of us, nor do they know these aberrant abbreviations. Therefore, use as few abbreviations as possible, especially when using such simple words.
Some examples of what not to do are ne1, any1 (anyone); u (you); ur (your or you're); 2 (to too); prolly (probably); afaik (as far as I know); etc.