gotornot Posted February 10, 2015 Share Posted February 10, 2015 Hi I am really struggling here i want this to check for fobidden words in an effort to stop sql injection.I cant seem to get it to work function secureit() { global $items_check; $unallowed = array('href', 'www', 'UPDATE', 'INSERT', 'DELETE', 'SET', 'OFFSET', 'ORDER BY', 'union', 'UPDATE', 'DROP TABLE', 'CREATE TABLE'); foreach($unallowed as $field) { if(stristr($items_check, $field) == TRUE) { $mess = 'NO Thanks "'.$items_check .'" is forbidden content!'; return $action = "0"; } } } The idea is that it checks the $items_check against a list of banned words if it finds one it doesnt allow the remaining script to execute. Quote Link to comment https://forums.phpfreaks.com/topic/294503-function-query/ Share on other sites More sharing options...
mac_gyver Posted February 10, 2015 Share Posted February 10, 2015 if you are properly escaping string data (or using prepared queries), those keywords (and many more that are not in your list) cannot be used to inject sql. numerical data values are another story, but you should be validating numerical data (or using prepared queries) to insure the data only contains a properly formatted number of the correct type. see this related post - http://forums.phpfreaks.com/topic/294273-question/?p=1504405 Quote Link to comment https://forums.phpfreaks.com/topic/294503-function-query/#findComment-1505335 Share on other sites More sharing options...
gotornot Posted February 10, 2015 Author Share Posted February 10, 2015 the big question is how do you do that? Quote Link to comment https://forums.phpfreaks.com/topic/294503-function-query/#findComment-1505337 Share on other sites More sharing options...
cyberRobot Posted February 10, 2015 Share Posted February 10, 2015 the big question is how do you do that? If you are using the deprecated mysql_* functions, you would use mysql_real_escape_string(): http://php.net/manual/en/function.mysql-real-escape-string.php Note that MySQLi and PDO also have functions for escaping strings. As for prepared queries, you could try a Google search for "php prepared statements". Quote Link to comment https://forums.phpfreaks.com/topic/294503-function-query/#findComment-1505338 Share on other sites More sharing options...
mac_gyver Posted February 10, 2015 Share Posted February 10, 2015 something tells me you have had a problem with a database and are now trying things to prevent sql injection? are you sure the problem was through sql injection or did someone gain direct access to the database by bruit force determining the username/password database connection credentials (most database engines don't have any sort of failed login detection/reporting)? another reason the black-list method isn't the right way of preventing sql injection is because, depending on how your query is using external data, an encoded string (i won't mention how it's encoded) can be crafted that contains no sql keyword, but which a database engine like mysql will happily convert back to sql statements and allow sql injection. Quote Link to comment https://forums.phpfreaks.com/topic/294503-function-query/#findComment-1505349 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.