mo Posted April 16, 2009 Share Posted April 16, 2009 I have an input field with an array as the name and id. The input field fails FireFox's SQL Inject Me test but when I try to run my SQL Injection check on the array, my form does not function properly. <?php echo" <td class=\"dataListItem\"> <input id=\"qID[]\" name=\"qID[]\" type=\"text\" size=\"5\" value=\"$strQty\" maxlength=\"5\"> <input type=\"hidden\" class=\"hidden\" id=\"pid[]\" name=\"pid[]\" value=\"$strID\"> <input type=\"hidden\" class=\"hidden\" id=\"optionStr[]\" name=\"optionStr[]\" value=\"$strOptions\"></td>"; $_POST['qID'] = checkSQLinject($_POST['qID']); function checkSQLinject($input){ if(get_magic_quotes_gpc()) { $output = stripslashes($input); } if(function_exists("mysql_real_escape_string")) { $output = mysql_real_escape_string($input); } else { $output = addslashes($input); } return $output; } ?> Link to comment https://forums.phpfreaks.com/topic/154410-how-to-sanitize-and-array-from-sql-injection/ Share on other sites More sharing options...
soak Posted April 16, 2009 Share Posted April 16, 2009 Looks as though you're trying to run functions that expect string input on arrays of data. Have a look at array_map() or foreach() Link to comment https://forums.phpfreaks.com/topic/154410-how-to-sanitize-and-array-from-sql-injection/#findComment-811875 Share on other sites More sharing options...
mo Posted April 16, 2009 Author Share Posted April 16, 2009 Looks as though you're trying to run functions that expect string input on arrays of data. Have a look at array_map() or foreach() OK. I will. Also, below are the contents of the POST variables. Array ( [qID] => Array ( [0] => 1 [1] => 1 ) [pid] => Array ( [0] => 42 [1] => 43 ) [optionStr] => Array ( [0] => 1,3, [1] => 4,5, ) [tipAmount] => 0.00 [update_x] => 95 [update_y] => 25 [update] => update [updateCart] => 1 [cartSubTotal] => 14.40 ) Link to comment https://forums.phpfreaks.com/topic/154410-how-to-sanitize-and-array-from-sql-injection/#findComment-811877 Share on other sites More sharing options...
mo Posted April 16, 2009 Author Share Posted April 16, 2009 Below is my foreach logic and I tried to filter the array inside but maybe I did it wrong. <?php if(isset($_POST['UpdateCart'])){ //Update cart item quantities foreach($_POST['pid'] as $pid_key => $pid) { $postQty = $_POST['qID'][$pid_key]; $optionsStr = $_POST['optionStr'][$pid_key]; $message = UpdateItem($pid,$postQty,$optionsStr); } } ?> I tried: <?php foreach($_POST['pid'] as $pid_key => $pid) { $postQty = $_POST['qID'][$pid_key]; $optionsStr = $_POST['optionStr'][$pid_key]; $pid = checkSQLinject($pid); $postQty = checkSQLinject($postQty); $optionsStr = checkSQLinject($optionsStr); $message = UpdateItem($pid,$postQty,$optionsStr); } ?> Link to comment https://forums.phpfreaks.com/topic/154410-how-to-sanitize-and-array-from-sql-injection/#findComment-811885 Share on other sites More sharing options...
soak Posted April 16, 2009 Share Posted April 16, 2009 mysql_real_escape_string() appeared in php 4.3 so you can fairly safely assume it's there now, especially if you control the box that it's running on. Also, you're not using the output of stripslashes in your first check. You should be able to use this: <?php function checkSQLinject($data){ if(get_magic_quotes_gpc()) { $data = stripslashes($data); } return mysql_real_escape_string($data); } Other than adding a few isset()'s to your second bit of code things look as though they should work. To simplify things though you could just cast $pid and $postQty as int's: <?php foreach($_POST['pid'] as $pid_key => $pid) { if (isset($_POST['qID'][$pid_key]) && isset($_POST['optionStr'][$pid_key])) { $postQty = $_POST['qID'][$pid_key]; $optionsStr = $_POST['optionStr'][$pid_key]; $pid = (int) $pid; $postQty = (int) $postQty; $optionsStr = checkSQLinject($optionsStr); $message = UpdateItem($pid,$postQty,$optionsStr); } } ?> EDIT: To make it really simple you could just call it when you run your db query. That way it's obvious to anyone that has to manage the code later that the data is being sql escaped. Link to comment https://forums.phpfreaks.com/topic/154410-how-to-sanitize-and-array-from-sql-injection/#findComment-811903 Share on other sites More sharing options...
mo Posted April 16, 2009 Author Share Posted April 16, 2009 Thanks Soak. I love it when things work. I still receive 4 SQL Inject erorrs (below) on my form for field qID. So once I resolve this, I am good to go to my next form. SQL Inject Me Results: Server Status Code: 302 Moved Temporarily Tested value: 1' OR '1'='1 Server Status Code: 302 Moved Temporarily Tested value: 1' OR '1'='1 Server Status Code: 302 Moved Temporarily Tested value: '; DESC users; -- Server Status Code: 302 Moved Temporarily Tested value: ' OR username IS NOT NULL OR username = ' Link to comment https://forums.phpfreaks.com/topic/154410-how-to-sanitize-and-array-from-sql-injection/#findComment-811914 Share on other sites More sharing options...
soak Posted April 16, 2009 Share Posted April 16, 2009 I'm not familiar with SQL inject me so without seeing the rest of your code and knowing how sql inject me is determining an error it's difficult to advise what the problem is. If you've used the code I quoted there is no way that field qId (or $postQty) will allow sql injection. Link to comment https://forums.phpfreaks.com/topic/154410-how-to-sanitize-and-array-from-sql-injection/#findComment-811954 Share on other sites More sharing options...
mo Posted April 17, 2009 Author Share Posted April 17, 2009 Below is my code when the update button is clicked. If I try to clean $_POST['qID'], it clears all my $_POST variables and the forms does not work. I'm still chugging through a solution. <? if(isset($_POST['UpdateCart'])){ //Update cart item quantities foreach($_POST['pid'] as $pid_key => $pid) { $postQty = $_POST['qID'][$pid_key]; $optionsStr = $_POST['optionStr'][$pid_key]; $pid = (int) $pid; $postQty = (int) $postQty; $optionsStr = checkSQLinject($optionsStr); $message = UpdateItem($pid,$postQty,$optionsStr); } } ?> Link to comment https://forums.phpfreaks.com/topic/154410-how-to-sanitize-and-array-from-sql-injection/#findComment-812254 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.