Jump to content

Any need of this SQLi filtering rules?


oz11
Go to solution Solved by Barand,

Recommended Posts

I use PDO so not sure if this is a good idea. Anyway, maybe it won't hurt?

 

if (str_contains($_GET['q'], 'SELECT')) {
    exit();
}
if (str_contains($_GET['q'], 'UPDATE')) {
    exit();
}
if (str_contains($_GET['q'], 'DELETE')) {
    exit();
}
if (str_contains($_GET['q'], '||')) {
    exit();
}
if (str_contains($_GET['q'], 'WHERE')) {
    exit();
}
if (str_contains($_GET['q'], 'SLEEP')) {
    exit();
}
if (str_contains($_GET['q'], 'DROP')) {
    exit();
}
if (str_contains($_GET['q'], 'FROM users')) {
    exit();
}
if (str_contains($_GET['q'], 'FROM links')) {
    exit();
}
if (str_contains($_GET['q'], '1=1')) {
    exit();
}
if (str_contains($_GET['q'], '1 = 1')) {
    exit();
}

Pontless?

Link to comment
Share on other sites

20 hours ago, oz11 said:

maybe it won't hurt?

Does your application know what to do with raw SQL passed as a QueryString argument? 

(If it does then I'd suggest that's a pretty poor design). 

if it doesn't then I see no point in defending against this.  
Hackers can throw this (and lots of other) stuff at your application, but it won't get them anywhere if your code doesn't try to do anything with it.

 

Of course, you should vigorously validate and clean any inputs you do receive and that you do intend to do things with. 

Regards, 
   Phill W. 

 

Link to comment
Share on other sites

45 minutes ago, Phi11W said:

clean any inputs

you should not modify data, then use the modified value, as this changes the meaning of the data (ask the author's of this forum software about the email 'cleaning' they did a number of years ago that allowed hackers to create a real and valid email addresses that was similar to an administrator's, that after 'cleaning' allowed it to be used to do a password recovery for that administrator, and allowed the hackers to log in as that administrator.) you should only trim user submitted data, mainly so that you can detect if it was all white-space characters, then validate that the trimmed value meets the 'business' needs of your application. if the data is valid, use it securely in whatever context it is being used in. if the data is not valid, tell the user what was wrong with the data and let them correct and resubmit it.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.