Jump to content


Photo

Simple best-practice idea to prevent sql injections


  • Please log in to reply
7 replies to this topic

#1 tibberous

tibberous

    Advanced Member

  • Members
  • PipPipPip
  • 1,187 posts

Posted 16 February 2013 - 11:34 PM

I normally hate best practices, but this one I came up, so it's less bad.

Basically, you create a few functions like:

function ireq($x){ return intval($_REQUEST[$x]); }
function req($x){ return mysql_real_escape_string(trim($_REQUEST[$x])); }
function unescaped($x){ return $_REQUEST[$x]; }

Next, NEVER use $_REQUEST

Now, to check your site for SQL injection holes, you can just search for $_REQUEST and "unescaped(". You can even use this method to slowly rewrite other peoples code, by replacing each $_REQUEST and making sure the proper characters are escaped.

Has the added benifit of being MUCH fast to type - $i = req('i') vs $i = mysql_real_escape_string($_REQUEST['i']);

#2 requinix

requinix

    Transforming Moderator

  • Moderators
  • 6,226 posts
  • LocationWA

Posted 17 February 2013 - 12:04 AM

- filter_var is a more powerful version of the req() and ireq() you made.
- Besides unescaped() you could just as easily search for code using $_REQUEST directly and fix that.

#3 KevinM1

KevinM1

    Snarkimus Prime

  • Moderators
  • 5,243 posts
  • LocationNew Hampshire, USA

Posted 17 February 2013 - 12:09 AM

You shouldn't be using the old mysql_* functions at all. They've been soft deprecated. Instead, use either MySQLi or PDO with prepared statements. That will protect you from injection attacks.

#4 tibberous

tibberous

    Advanced Member

  • Members
  • PipPipPip
  • 1,187 posts

Posted 17 February 2013 - 12:57 AM

- Besides unescaped() you could just as easily search for code using $_REQUEST directly and fix that.


The advantage to using unescaped is that it at least shows you looked and made a consious decision to use unescaped data. Also, if you implement others code, you can replace their $_REQUEST's as needed.

#5 gizmola

gizmola

    Advanced Member

  • Administrators
  • 4,137 posts
  • LocationLos Angeles, CA USA

Posted 17 February 2013 - 04:01 AM

You shouldn't be using the old mysql_* functions at all. They've been soft deprecated. Instead, use either MySQLi or PDO with prepared statements. That will protect you from injection attacks.


Agreed 100%

#6 tibberous

tibberous

    Advanced Member

  • Members
  • PipPipPip
  • 1,187 posts

Posted 20 February 2013 - 04:44 AM

They depricate everything =/

#7 Stefany93

Stefany93

    Advanced Member

  • Members
  • PipPipPip
  • 176 posts
  • Age:20

Posted 21 February 2013 - 12:04 PM

You shouldn't be using the old mysql_* functions at all. They've been soft deprecated. Instead, use either MySQLi or PDO with prepared statements. That will protect you from injection attacks.


I agree, with prepared statements, SQL injections are almost 100% eliminated.

$username = 'Longstreet';
$query = $db->prepare("INSERT INTO names(username) VALUES(:username)");
$query->bindParam(':username', '$username', PDO::PARAM_STR);
$query->execute();

When I first started using PDO, I kept forgetting to execute the query and I can't tell you how many hours I had spend searching why the heck wasn't my code working :D

Edited by Stefany93, 21 February 2013 - 12:05 PM.

"Put your faith in God and keep your powder dry" - Oliver Cromwell
My site - http://dyulgerova.info

My history website - http://www.studyingthepast.com


#8 Stefany93

Stefany93

    Advanced Member

  • Members
  • PipPipPip
  • 176 posts
  • Age:20

Posted 21 February 2013 - 12:05 PM

They depricate everything =/


Nope, they deprecate stuff that don't work anymore or are harmful if used...

"Put your faith in God and keep your powder dry" - Oliver Cromwell
My site - http://dyulgerova.info

My history website - http://www.studyingthepast.com





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com