Page 1 of 2
SQL injection
Posted: Wed Jan 16, 2008 12:37 pm
by thatsme
I am trying to prevent sql injection.
Code
Code: Select all
function EscapeQuotes($data)
{
if(get_magic_quotes_gpc())
{
$data=array_map(stripslashes, $data);
}
return array_map(mysql_real_escape_string, $data);
}
// calling
$post = EscapeQuotes($_POST);
extract($post);
$check_login_QUERY = mysql_query("SELECT * FROM members WHERE member_email_id='$email_id' AND member_password='$password'");
If there is anything that has to be modified in the above code, please let me know.
Thanks
Re: SQL injection
Posted: Wed Jan 16, 2008 1:04 pm
by jimthunderbird
Your code is concise and elegant, guess it prevents most of the sql injection attempts.

Re: SQL injection
Posted: Wed Jan 16, 2008 1:17 pm
by Zoxive
jimthunderbird wrote:Your code is concise and elegant, guess it prevents
most of the sql injection attempts.

Escaping strings alone is not enough so prevent sql injection.
You need to verify, that it only contains the characters of which you allow.
Ex. Usernames: 5-16 Characters long, only Letters and numbers and underscores.
There are many, many other topics in these forums (and Internet!) about sql injection, and how to prevent it.
Re: SQL injection
Posted: Wed Jan 16, 2008 2:03 pm
by jimthunderbird
Yeah, those will be extra, like checking correct email format also...
Re: SQL injection
Posted: Wed Jan 16, 2008 4:40 pm
by Mordred
Zoxive wrote:Escaping strings alone is not enough so prevent sql injection.
You need to verify, that it only contains the characters of which you allow.
Ex. Usernames: 5-16 Characters long, only Letters and numbers and underscores.
While the first statement is generally true ( I wrote a paper on the subject:
"The Unexpected SQL Injection"), it is not true in this context. Escaping strings is not intended as a security measure only, it is provided
exactly so you can put any string you like in the data part of an SQL query. Thus the verifications you advise for are okay, but not necessary to prevent SQL injection. The escaping does that part.
jimthunderbird wrote:Your code is concise and elegant, guess it prevents most of the sql injection attempts.

No, the code is
horrible, it uses functions that every PHP programmer should scratch in their head, and never ever use, and it uses a couple of wrong and dangerous misconceptions.
The EscapeQuotes() function is flawed, I've written a
long rant about it, which I won't repeat here.
The other abomination is the use of extract(), as it injects into the global namespace any values passed in $_POST. Welcome back
register_globals.
In short, this is a horrible way to write code, even if the small piece presented here is not vulnerable.
Re: SQL injection
Posted: Wed Jan 16, 2008 4:57 pm
by Oren
Mordred++
Re: SQL injection
Posted: Wed Jan 16, 2008 5:31 pm
by s.dot
Also, array_map() doesn't take into account nested arrays in your data. I'd make it a habbit to individually call mysql_real_escape_string() on everything you want escaped.
Moved to PHP security.
Re: SQL injection
Posted: Thu Jan 17, 2008 1:39 am
by thatsme
thanks for your valuble comments.
When i was searching in google about mysql_real_escape_string,
I saw the below code,
Code: Select all
<?php
/**
* PHP5
*/
function array_clean(&$value)
{
if (ini_get('magic_quotes_gpc')) {
$value = stripslashes($value);
}
}
array_walk_recursive($_GET, 'array_clean');
array_walk_recursive($_POST, 'array_clean');
array_walk_recursive($_COOKIE, 'array_clean');
?>
Can i use the above code safely?
Re: SQL injection
Posted: Thu Jan 17, 2008 3:57 am
by Mordred
thatsme wrote:thanks for your valuble comments.
You're welcome. Now read them.
thatsme wrote:Can i use the above code safely?
Safe from what? From SQL injection - no.
Re: SQL injection
Posted: Thu Jan 17, 2008 5:53 am
by thatsme
Mordred,
Can you suggest me some sites which guides me in preventing sql injection - I am not asking for ready made code. Just guidance.
Thanks
Re: SQL injection
Posted: Thu Jan 17, 2008 6:24 am
by Mordred
In the article mentioned above (
http://www.webappsec.org/projects/artic ... 7.shtml#pb) there is a collection of the major papers on the subject.
Re: SQL injection
Posted: Sat Jan 19, 2008 12:52 pm
by hannnndy
please tell me what is sql injection?
im a biginner in security

Re: SQL injection
Posted: Sat Jan 19, 2008 4:51 pm
by John Cartwright
hannnndy wrote:please tell me what is sql injection?
im a biginner in security

Google is your friend >
http://en.wikipedia.org/wiki/Sql_injection
Re: SQL injection
Posted: Tue Feb 12, 2008 10:31 pm
by Attilitus
I don't understand why more people do not implement their security into their database abstraction layer. It seems like a no brainer to me, it eliminates all possibility of sql exploitation. Escaping your data using any other means leaves room for clumsy errors, and oversights.
For example, Wordpress recently had an exploit caused by trackback pings in foreign charsets. They didn't escape data as part of their database abstraction layer, and when they converted the previously safe foreign charset into the local charset it contained unsafe information that was then added to the database.
That is a crazy example, but the point is this: Implement your SQL injection security on the database abstraction layer because then there will be absolutely NO chance of error.
Re: SQL injection
Posted: Wed Feb 13, 2008 3:04 am
by Mordred
Damn right. Actually there is no other correct way of escaping except in the database layer -- it is a bug if you escape data for SQL without or before (or after) actually using it in a query.
I go one step further - I write no SQL code whatsoever - only through a generator.