homepage Welcome to WebmasterWorld Guest from 54.197.110.151
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
preg replace enough to preventing SQL injection?
Kahless

10+ Year Member



 
Msg#: 3912312 posted 3:38 am on May 13, 2009 (gmt 0)

I have form that only allows upper and lower case letters. So I use preg_replace to error out on anything other than a-zA-Z and use mysql_real_escape to query the database.

Am I missing something here or is htmlentities still needed?

 

enigma1

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3912312 posted 9:46 am on May 13, 2009 (gmt 0)

You shouldn't need htmlentities as there will be no html to do anything with.

grallis

5+ Year Member



 
Msg#: 3912312 posted 12:47 pm on May 13, 2009 (gmt 0)

Well it depends - how are you limiting the input to upper and lower case alpha chars only?

rocknbil

WebmasterWorld Senior Member rocknbil us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3912312 posted 2:33 pm on May 13, 2009 (gmt 0)

I use preg_replace to error out on anything other than a-zA-Z and use mysql_real_escape to query the database.

Of course you are also including regular punctuation and spaces?

What about this, for example?

yourscript.php?user_id=3273%20OR%201=1

If properly crafted,

select username,password from user_table where user=3273 or 1=1

Since 1=1 is always true, this simple example would display all user names and passwords in the database.

Before completely cleansing you should look for patterns used to inject commands into your input fields, including but not limited to drop, insert, update, or, and . . .

Kahless

10+ Year Member



 
Msg#: 3912312 posted 12:23 am on May 14, 2009 (gmt 0)


Since 1=1 is always true, this simple example would display all user names and passwords in the database.

But only if I allow the equal = sign, correct?

preg_replace('/[^a-zA-Z0-9\-\_\!\$\#\@\^\&\*\(\)\^\+\ \.\?]/'

[edited by: Kahless at 12:29 am (utc) on May 14, 2009]

rocknbil

WebmasterWorld Senior Member rocknbil us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3912312 posted 3:51 pm on May 14, 2009 (gmt 0)

The equal sign can be encoded, but yeah that should stop that attack . . .but there are many others, as mentioned. If they can figure out your database table names, what about

delete from table
drop table
insert into table

Kahless

10+ Year Member



 
Msg#: 3912312 posted 8:31 pm on May 14, 2009 (gmt 0)


The equal sign can be encoded, but yeah that should stop that attack . . .but there are many others, as mentioned. If they can figure out your database table names, what about
delete from table
drop table
insert into table

That is what I do not understand. How could they possibly get by that preg_replace and mysql_real_escape? Unless your thinking is space and quotes were being allowed. But even if that were case I believe mysql_real_escape would still stop that from happening, correct?

[edited by: Kahless at 8:32 pm (utc) on May 14, 2009]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved