sql injection sanitization

QQ_ghost · February 15, 2010

Ok, so I want to be able to use the (') character in my forms (for more flex in user names etc...). Would this be adequate to keep out the injection attack?

<?php

$str = "sdfljkdddddddddddddg ' gjkl '\\\\\\\\\\' dgffg\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'\'\'dfgdgh";
echo "$str\n";

$str = preg_replace('/\\\\*/','',$str);
$str = preg_replace('/\'(\')+/','\'',$str);
$str = htmlspecialchars($str, ENT_QUOTES);
echo "$str";

?>

The echo output looks like (source):

sdfljkdddddddddddddg ' gjkl '\\\\\' dgffg\\\\\\\\\\\\\\\\\\\\'\'\'dfgdgh
sdfljkdddddddddddddg &#039; gjkl &#039; dgffg&#039;dfgdgh

Will this adequately reject an injection attack?

QQ_ghost · February 15, 2010

What I am trying to ask, is if lines 6-8 will transform returned $_POST[] data so as to be benign text instead of a sql injection attack. The second echo line is the transformed text.

waynew · February 15, 2010

To stop SQL injection I would advise you to use a function such as mysql_real_escape_string().

$username = mysql_real_escape_string($_POST['username']);
$result = mysql_query("INSERT INTO user(username) VALUES('$username')") or trigger_error(mysql_error());

QQ_ghost · February 15, 2010

And why could I not find any reference to that when I would search for sql sanitization techniques? Thanks!

QQ_ghost · February 16, 2010

Wow, the function "mysql_real_escape_string()" does not function for me on my system. Any usage of it results in a blank output to variable. I used it as described at http://php.net/manual/en/function.mysql-real-escape-string.php but no matter what I put through it, no output was generated.

$str = mysql_real_escape_string('sdfljkdddddddddddddg \' gjkl \'\\\"\"\"\"\\\\\' dgffg\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'\'\'dfgdgh');
if(isset($str)){
    echo "str = ".$str."\n<br>\n";
}

output: "str = "

$str = "sdfljkdddddddddddddg ' gjkl '\\\"\"\"\"\\\\' dgffg\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'\'\'dfgdgh";
$str = mysql_real_escape_string("$str");
if(isset($str)){
    echo "str = ".$str."\n<br>\n";
}

output: "str = "

$str = mysql_real_escape_string($_POST['str']);
if(isset($str)){
    echo "str = ".$str."\n<br>\n";
}

output: "str = "

:wtf: What's my malfunction? LOL

(PHP version: 5.3.1)

QQ_ghost · February 26, 2010

I used mysqli_stmt_ functions to get it done...

if ($func=="login"){
if(!$username || !$passwd) { die('ERROR: missing info'); }
dbr_(); /* connect to the DB */
$stmt = mysqli_stmt_init($link);						/* create a prepared statement, $link is from dbr_(); */
if (mysqli_stmt_prepare($stmt, 'SELECT username, upass FROM users WHERE username=?')) {
	mysqli_stmt_bind_param($stmt, "s", $username);				/* bind parameters for markers */
	mysqli_stmt_execute($stmt);						/* execute query */
	mysqli_stmt_bind_result($stmt, $uname, $upass);				/* bind result variables */
	if (mysqli_stmt_fetch($stmt)) {						/* fetch value */
		if($upass == "$passwd" ){
			sess('login',TRUE);

Etc... (I don't yet understand classes, so I used procedural code.)

Sign In

sql injection sanitization

Recommended Posts

QQ_ghost

Link to comment

Share on other sites

QQ_ghost

Link to comment

Share on other sites

waynew

Link to comment

Share on other sites

QQ_ghost

Link to comment

Share on other sites

QQ_ghost

Link to comment

Share on other sites

QQ_ghost

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information