eXeCuTeR Posted November 15, 2007 Share Posted November 15, 2007 How could I possibly secure PHP injections? I could simply do it with regex, but it would be too stupid: $string = htmlspecialchars(mysql_real_escape_string($_GET['phpfreak'])); // Assuming $string is the site.com/index.php?phpfreaks=$string... if (preg_match("/ php_functionName(\(.*)\)/i", $string)) { // Ban the user or else } Including all PHP functions or just 40 dangerous functions will be totally stupid. Any other suggestions how to secure PHP injections? Quote Link to comment Share on other sites More sharing options...
marcus Posted November 15, 2007 Share Posted November 15, 2007 $array = array('this','is','your','array','of','bad','things'); foreach($array AS $baddies){ if(preg_match("/$baddies/is", $string)){ $error = 1; } } if($error >= 1){ //baniate }else { //no baniation } Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted November 15, 2007 Share Posted November 15, 2007 I fail to see why you would do that except if you are running it through eval(). Quote Link to comment Share on other sites More sharing options...
eXeCuTeR Posted November 15, 2007 Author Share Posted November 15, 2007 ~ mgallforever, This is exactly what I meant which is not right and inefficient. Daniel0, What do you mean? Quote Link to comment Share on other sites More sharing options...
MadTechie Posted November 15, 2007 Share Posted November 15, 2007 i assume your using eval or writing a php then running it.. correct ? Quote Link to comment Share on other sites More sharing options...
eXeCuTeR Posted November 15, 2007 Author Share Posted November 15, 2007 I'm not using eval in my code, but I'm using PHP lol Quote Link to comment Share on other sites More sharing options...
MadTechie Posted November 15, 2007 Share Posted November 15, 2007 So how is the being entered into the script itself ? what do you mean by "PHP Injections" ? $string = htmlentities(mysql_real_escape_string($_GET['phpfreak']), ENT_QUOTES); will stop SQL + HTML injections Quote Link to comment Share on other sites More sharing options...
revraz Posted November 15, 2007 Share Posted November 15, 2007 Confusing SQL injections with PHP one? Quote Link to comment Share on other sites More sharing options...
eXeCuTeR Posted November 15, 2007 Author Share Posted November 15, 2007 No, I did blocked SQL & XSS but I was wondering how to block PHP injections. Quote Link to comment Share on other sites More sharing options...
alecks Posted November 15, 2007 Share Posted November 15, 2007 I'm not really quite sure what you are trying to do, could you explain a bit more? Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted November 15, 2007 Share Posted November 15, 2007 There is no such things as PHP injection unless you run a string through eval(). Quote Link to comment Share on other sites More sharing options...
eXeCuTeR Posted November 15, 2007 Author Share Posted November 15, 2007 Oh really? why is that? only eval "accesses" the option of PHP injections? Quote Link to comment Share on other sites More sharing options...
dbo Posted November 15, 2007 Share Posted November 15, 2007 Code that looks like PHP code is not executed unless it is run through eval, therefore (as was stated already) there is no such thing as PHP injection, unless you're using eval because the PHP code would be treated as raw text. If you are using eval (which is discouraged) you should create a list of allowable functions, tokenize the data and only allow functions that you said were ok. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.