Jump to content

Function Query

gotornot

By gotornot
in PHP Coding Help

 Share

Recommended Posts

gotornot Member

gotornot

Posted
Posted

Hi

 

I am really struggling here i want this to check for fobidden words in an effort to stop sql injection.
I cant seem to get it to work :(

 

function secureit()
    {
    global $items_check;
    $unallowed = array('href', 'www', 'UPDATE', 'INSERT', 'DELETE', 'SET', 'OFFSET', 'ORDER BY', 'union', 'UPDATE', 'DROP TABLE', 'CREATE TABLE');
    foreach($unallowed as $field) {
        if(stristr($items_check, $field) == TRUE) {
            $mess = 'NO Thanks "'.$items_check .'" is forbidden content!';
            return $action = "0";
            }
        }
    }
 

The idea is that it checks the $items_check against a list of banned words if it finds one it doesnt allow the remaining script to execute.

Link to comment
Share on other sites
mac_gyver Prolific Member

mac_gyver

Posted
Posted

if you are properly escaping string data (or using prepared queries), those keywords (and many more that are not in your list) cannot be used to inject sql. numerical data values are another story, but you should be validating numerical data (or using prepared queries) to insure the data only contains a properly formatted number of the correct type.

 

see this related post - http://forums.phpfreaks.com/topic/294273-question/?p=1504405

Link to comment
Share on other sites
cyberRobot Prolific Member

cyberRobot

Posted
Posted

the big question is how do you do that?

 

If you are using the deprecated mysql_* functions, you would use mysql_real_escape_string():

http://php.net/manual/en/function.mysql-real-escape-string.php

 

Note that MySQLi and PDO also have functions for escaping strings.

 

 

As for prepared queries, you could try a Google search for "php prepared statements".

Link to comment
Share on other sites
mac_gyver Prolific Member

mac_gyver

Posted
Posted

something tells me you have had a problem with a database and are now trying things to prevent sql injection? are you sure the problem was through sql injection or did someone gain direct access to the database by bruit force determining the username/password database connection credentials (most database engines don't have any sort of failed login detection/reporting)?

 

another reason the black-list method isn't the right way of preventing sql injection is because, depending on how your query is using external data, an encoded string (i won't mention how it's encoded) can be crafted that contains no sql keyword, but which a database engine like mysql will happily convert back to sql statements and allow sql injection.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.