Z
Z
zobov2012-01-22 15:16:44
PHP
zobov, 2012-01-22 15:16:44

SQL inj protection

Hi all.
There was such question - whether such filtration from sql inj is sufficient? This piece of code is included at the very beginning of each script. PHP 5.3.8
foreach($_REQUEST as $_ind => $_val) {
$_REQUEST[$_ind] = mysql_real_escape_string($_REQUEST[$_ind]);
}

foreach($_POST as $_ind => $_val) {
$_POST[$_ind] = mysql_real_escape_string($_POST[$_ind]);
}

foreach($_GET as $_ind => $_val) {
$_GET[$_ind] = mysql_real_escape_string($_GET[$_ind]);
}

foreach($_COOKIE as $_ind => $_val) {
$_COOKIE[$_ind] = mysql_real_escape_string($_COOKIE[$_ind]);
}


Answer the question

In order to leave comments, you need to log in

9 answer(s)
M
Melkij, 2012-01-22
@melkij

Congratulations, you have invented Magic Quotes.
Yes, that's enough. Unless $_FILES is still unprocessed.
No, it's inconvenient. Because of what, magic quotes were abandoned.

K
Konstantin, 2012-01-22
@Norraxx

Shitcode detected?
I wonder how you compare values ​​in PHP? For example If you need to compare two strings and one of them will be changed already through your function (mysql_real_escape_string).
This function must be called on strings just before inserting them into the database.
And in general, stop using the old mysql! Use mysqli: cz.php.net/manual/en/mysqli.prepare.php ! Get acquainted with preparation statements and your crap will be a thing of the past.

E
Elkaz, 2012-01-22
@Elkaz

Use PDO, Luke :)

V
Vladson, 2012-01-23
@Vladson

And again, the mythical "protection" ...
Wake up people, you don't have to defend yourself against "SQL-inj", this is not a threat. The presence of SQL holes is a simple bug. If you want to avoid, don't make mistakes in your code.
Which way you pass the data to the query is up to you, you can even use bin2hex (although there are ways that are easier and more logical) The main thing to understand is that the data and what the SQL server perceives as data are different things. But stop calling it a defense, it's not a defense, it's just "code without a bug". (Protection implies a threat that exists even in the case of a competent one, as in the case of DDOS, these are quite normal packages, only there are a lot of them.)
SELECT * FROM `table`
WHERE `word`=0x4841434b454420425920564c4144534f4e;

E
Eirenliel, 2012-01-22
@Eirenliel

Use mysql_real_escape_string when substituting a variable in every query.
I'm sorry, I can't answer Habré...

M
mapron, 2012-01-22
@mapron

if you have php 5.3 (and not php4), then it's a sin not to use mysqli anymore, and forget about injections with placeholders like a bad dream. Plus, saving on query parsing time as a nice bonus)
in Zend, let's say:
$db->query('UPDATE users SET login_time=? WHERE id=?', array($time, $id));
We have already talked about PDO above. but unfortunately it is not included by default, and MYSQLI can be used completely. The imitation of magic quotes reminded me, to be honest:
//The following is not safe code, but this is the only way to fix the situation with the old version.

if ($_GET) {
    foreach ($_GET AS $key => $value) {
        $$key = $value; //Make all GET variables simple like I did with reg_glob
    }
}

Z
zobov, 2012-01-22
@zobov

Got it, thanks for all the advice! =)

E
edogs, 2012-01-22
@edogs

As for the idea itself, everyone has already said everything above ... although if there is a ton of Mr. code in the scripts, where the programmer did not bother with probing variables, then this method can be a quick salvation until the code is put in order.
The only thing to add is that this method will kill the arrays, if something is passed somewhere as input name="a[2]", then the data will be returned after "slashing".

V
Vitaly Zheltyakov, 2012-01-22
@VitaZheltyakov

My version:
//---------------- Процедура подключения к базе данных -----------------------//
function dbconnect() {
global $database;
if (!isset($database)) {
$database = mysql_connect("localhost", "**", "***");
mysql_select_db("xxx", $database);
}
}
//--------------------- Функция выполнения запросов --------------------------//
function sql_query($query) {
global $errors;
dbconnect();
$return = mysql_query($query);
$error = mysql_error();
if ($error=='') {
return $return;
}
else {
writelog('sql_error', date("y.m.d H:m:s")."\t".$error);
$errors .= $error;
return false;
};
}
//----------------------------------------------------------------------------//
//----------- Процедура проверки данных перед вставкой в запрос ---------------//
function checkfield($request) {
$request = trim($request);
if (isset($request)) {
// Если не число, то экранируем ковычки
if (is_numeric($request)) { return $request; }
else { dbconnect(); return mysql_real_escape_string($request); }
}
else { return ''; }
}
//----------------------------------------------------------------------------//

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question