Security Question...

[DamienRoche]

Ok, so everybody knows you are meant to use addslashes on input before adding data to a database.

 

But what if you use a preg_match and regexp to halt the script if any input contains special characters.

 

I currently use the second method I mentioned above and that works fine, but is there any way to bypass this?

 

Bottom line..am I opening myself up for sql injection etc. or would you consider this secure enough?

 

Damien.

[papaface]

I don't really see the point in using regex to get rid of specific characters unless there is a reason you need to do so other than protecting against SQL injections. I'd stick with simply adding slashes tbh, doing both can't hurt though.

[.josh]

mysql_real_escape_string

[redarrow]

all  u need below post

 

set it example

 

<?php

$name="redarrow";

$name=mysql_real_escape_string($_POST['name']);

?>

[DamienRoche]

I've used mysql_real_escape_string as well. But what do you think about using regexp to just stop the script in it's tracks?

 

I mean, I don't filter the input because some fields shouldn't have special characters. I just use an if preg_match and regexp to detect the character and stop the script.

 

I guess really what I'm asking is: can the regexp solution be bypassed?

 

..can a special character get passed a preg_match? it doesn't seem possible..but I am a noob  ???

 

I should have also noted, this was more a discussion than a problem >> solution thing.

[redarrow]

u can do it the flash way lol

 

<?php

$name="redarrow";

IF (PREG_MATCH("/[a-z]/",mysql_real_escape_string($_POST['name']))){

echo $name;
}

?>

[rarebit]

There's many instances where I don't mind users adding special characters, basically because they might need or want to, for instance if there blogging and want to use any kind of speech marks.

 

Yes it's possible to formulate a regex statement to catch any defined characters, banned words, emails etc. And no there shouldn't be a way around it unless they get at the code.

[discomatt]

It's simple - the stricter you are the more secure your script will be.

 

Using RexEx to filter input is much better than mysql_real_escape_string();

 

Something like this

if( preg_match('%[^A-z \d]%',  $_POST['var']') )

  # DIE #

[.josh]

Using RexEx to filter input is much better than mysql_real_escape_string();

 

Care to elaborate as to how using regex is better?

 

edit:

 

For SQL injection attacks, that is.

[discomatt]

 

Care to elaborate as to how using regex is better?

 

edit:

 

For SQL injection attacks, that is.

 

Simple, the stricter you are with data, the less chance that an unknown loophole with mysql_real_escape_string() will affect your script.

 

At most points people will apply multiple filters to get user data from a form on to a page... real_escape.. htmlentities/specialchars are extremely common. This can be done with a single regex prior to insertion, and will save from potential holes in 2 functions.

 

I'm not saying there's anything wrong with mysql_real_escape_string()... I'm just saying regex is more secure, and situation depending, better.

[rarebit]

What doesn't 'mysql_real_escape_string()' catch (e.g. 2 functions)?

 

And my age old (never satisfyingly answered question), surely 'addslashes()' is faster...

[.josh]

Upon doing some research, I concede to regex being better.  SQL Injection attacks do not necessarily require the attacker to include quotes.  Here's an article I found:

 

http://www.webappsec.org/projects/articles/091007.txt

[discomatt]

What doesn't 'mysql_real_escape_string()' catch (e.g. 2 functions)?

 

And my age old (never satisfyingly answered question), surely 'addslashes()' is faster...

 

Code what you want... I'm just saying that using strict regex rules is more secure. Speed isn't always the 'best' solution.