Jump to content

help preventing sql injection

gammaman

By gammaman
in PHP Coding Help

 Share

Recommended Posts

gammaman Member

gammaman

Posted
Posted

Hello.  I am trying to prevent sql injections on a site that I am creating.  I am just not sure if my approach is correct and completely secure.  I am looking for some pointers and insight.  If anyone could provide some tips and pointers where I might have some security holes, it would be greatly appreciated.

 

//test.php

<html>
<head>
</head>
<body>
<?php

//contains all php work functions
include("workfunctions.php");
//contains the link submition form
include("submitform.php");
//will contain the html dynamic rollover menu
include("example.html");

//do the sql query
selectQuery();
?>


</body>
</html>

 

//the html form

<form action = "validate.php" method="post">
<input type="text" name="link"/>
<input type="submit" name="Submit" value="Submit"/>
</form>

 

//validate.php

<?php	
   include("workfunctions.php");

   //open the session 	
   session_start();
   //establish a connection with the database.
   
   
   //get the base url by stripping slashes down to base web address.
   $urlExtensions = array (".com" => ".com", ".net" => ".net", ".org" => ".org", ".edu" => ".edu");	
   
   $count = substr_count_array($_POST['link'],$urlExtensions);
   
   if($count < 1)
   {
    echo "Sorry, we are unable to identify this web address.  It appears you have forgotten to include the url extension:\n";
	echo "1.http://www.site.ext\n";
	echo "2.www.site.ext\n";
	echo "3.site.ext\n";
   } 

   else{
	insertQuery();	
   }
   
?>

 

 

//workfunctions.php

<?php
//function to do the selectQuery which will eventually be based off of the menu selection
function selectQuery()
{
$con = new mysqli("localhost", "root", "","mysql");
$query = $con->query("select address from sites");

//$result = mysql_query($query);
if(!$query){
$message = 'Invalid Query:' . mysql_error() . "\n";
die($message);
}

while($row = $query->fetch_assoc()){
    $link = $row;
$site = substr($row['address'],7);

     echo "<a href={$link['address']}>$site</a>"."<br />\n";	
}

//mysql_free_result($result);
return $query;
}
?>

<?php
//function to insert new links into the database
function insertQuery()
{
$con = new mysqli("localhost", "root", "","mysql");
getBaseURL();   
$insertQuery = $con->query("insert into sites(address)values(('".$_SESSION['newLink']."'))");

//$result = mysql_query($query);
if(!$insertQuery){
$message = 'Invalid Query:' . mysql_error() . "\n";
die($message);
}

//mysql_free_result($result);
return $insertQuery;
}
?>

<?php
//function to get base url
function getBaseURL(){
  
/*If string contains http:// , trim it off.
  Next, remove slashes from web address to get base url.  Finally
  reatach the http:// in the front of the address
*/   
if(substr_count($_POST['link'],'http://') > 0){
   echo ("Contains http://");
      if(substr_count($_POST['link'],'/')>2){
     echo "Here count / is greater than 2";
         $_SESSION['link'] = trim($_POST['link'],"http://");
	 echo ($_SESSION['link']);
	 $_SESSION['explode'] = explode("/",$_SESSION['link']);
	 echo ($_SESSION['explode'][0]);
	 $_SESSION['newLink'] = ("http://" . $_SESSION['explode'][0]);
	 echo ("The new link is" . $_SESSION['newLink']);
  }
}

/* If string does not contain http://, remove the slashes from the address
   Then re-attach the http:// to the front of the string 
*/
else if((substr_count($_POST['link'],'http://') <= 0) && (substr_count($_POST['link'],'www.')>0)){
   echo ("Does not contain http://");
      if(substr_count($_POST['link'],'/')>0){
         $_SESSION['link'] = explode("/", $_POST['link']);
	 $_SESSION['newLink'] = ("http://" . $_SESSION['link'][0]);
  }
}

/* If string does not contain http:// or www, remove the slashes and add
      both http:// and www. to the front of the web address 
*/
else if((substr_count($_POST['link'],'http://')<=0) && (substr_count($_POST['link'],'www.') <=0)){
   $_SESSION['link'] = explode("/", $_POST['link']);
   $_SESSION['newLink'] = ("http://www." . $_SESSION['link'][0]);
}     
return $_SESSION['newLink']; 
}
?>
   
<?php
// function to search web address for the existance of an url extension
function substr_count_array( $haystack, $needle ) {
   $count = 0;
   foreach ($needle as $substring) {
      $count += substr_count( $haystack, $substring);
   }
     return $count;
}
?>

Link to comment
https://forums.phpfreaks.com/topic/265381-help-preventing-sql-injection/
Share on other sites
jcbones Newbie

jcbones

Posted
Posted

1.Make sure all string data is escaped using the mysqli class, PDO, mysqli_real_escape_string, or mysql_real_escape_string.  Which ever database method you are using.

2.Make sure all integer, or float data is cast to the right data type with Converting to Integer, or Converting to Float.

 

You could also return the form if the integer data was not of ctype_digit, if you are not using 2 above.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.