woolyg Posted September 19, 2007 Share Posted September 19, 2007 Hey all. I'm building a new site right now and would like to test its vulnerability to injection, in stages. Would any of you more experienced users be interested in attempting to inject into my DB from forms on my site, in a controlled atmosphere? Send me a private message if you'd like to help and I'll explain what stage I'm at, and what I aim to gain by doing the testing. Any help appreciated, Woolyg. Quote Link to comment Share on other sites More sharing options...
fenway Posted September 21, 2007 Share Posted September 21, 2007 No need for PM... just make sure you escape special characters with mysql_escape_string(). Quote Link to comment Share on other sites More sharing options...
woolyg Posted September 21, 2007 Author Share Posted September 21, 2007 Thanks, I've been reading up on it and it seems that this'll be the way to go. Quick Q regardinging safeguarding agains injection - does it help if you limit input character maximum on the form object? Just something I'd like to know. Cheers, Wool. Quote Link to comment Share on other sites More sharing options...
woolyg Posted September 21, 2007 Author Share Posted September 21, 2007 Here's another bit of info I'd love to clear up: I've got a PHP page that takes POST input from a form on a previous page. Code here: <?php $username1 = $_POST['username']; $username = mysql_real_escape_string($username1); $info_title1 = $_POST['info_title']; $info_title = mysql_real_escape_string($info_title1); extract($_POST); function check_field1($info_title) { if(!preg_match("/[^a-zA-Z0-9\.\-\Ä\ä\Ö\ö\Ü\ü\'\?\!\*\#\@\$\%\(\)\=\\\\ ]+$/s",$info_title)) return TRUE; else return FALSE; } $error=0; // check up variable /* get it checking */ if(!check_field1($info_title)) { $error1 = "-- You have entered a disallowed character in the Info Title. Please try again. --<br>"; $error++; // $error=$error+1; } //Enter data if($error == 0){ $query = "INSERT INTO table (username, info_title) ". "VALUES ('$username', '$info_title')"; mysql_query($query) or die('Error, query failed : ' . mysql_error()); } else { echo "That didn't work"; } ?> My question is as follows: If I have allowed the apostrophe character and the backslash character from my preg_match definition, will the mysql_real_escape_string still work OK in preventing injection? Thanks, Woolyg. Quote Link to comment Share on other sites More sharing options...
fenway Posted September 24, 2007 Share Posted September 24, 2007 There's nothing "wrong" with these characters, and you may or may not want to permit them for your own reasons. But it has nothing to do with mysql, as long as you espape them, they are treated just like normal characters. You can't tell someone whose last name is O'Brien to change their last name. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.