tromton Posted December 19, 2007 Share Posted December 19, 2007 hello all, ive been wondering latley if someone could change a get variable, so he can change a sql statement that way, that he could delete data from my database. the following ive thought of: $sql = "select * from test where id = '".$_GET['someinput']."'"; ..... so if someone would change the url from http://test/index.php?someinput=123 to something like http://test/index.php?someinput=123'; delete from test where '1 i thought he might be able to empty my database or do even worse things. so my idea was to generally search for keywords in the post and get data, so things like that are not possible anymore. iv done the following function, that i will put on top of every file, that includes the conncetion files for the database: function valiMySQLInput_1($getinp){ return str_ireplace("'","",$getinp); } function valiMySQLInput_2($getinp){ return str_ireplace("\"","",$getinp); } function valiMySQLInput_3($getinp){ return str_ireplace(",","",$getinp); } function valiMySQLInput_4($getinp){ return str_ireplace(";","",$getinp); } function valiMySQLInput_5($getinp){ return str_ireplace("(","",$getinp); } function valiMySQLInput_6($getinp){ return str_ireplace(")","",$getinp); } function valiMySQLInput_7($getinp){ return str_ireplace("FROM","",$getinp); } function valiMySQLInput_8($getinp){ return str_ireplace("LIKE","",$getinp); } function valiMySQLInput_9($getinp){ return str_ireplace("WHERE","",$getinp); } function valiMySQLInput() { global $_GET, $_POST; //make get and post input secure for db useage if (!get_magic_quotes_gpc()) { $_GET = array_map('addslashes', $_GET); $_POST = array_map('addslashes', $_POST); } $_GET = array_map('valiMySQLInput_1', $_GET); $_POST = array_map('valiMySQLInput_1', $_POST); $_GET = array_map('valiMySQLInput_2', $_GET); $_POST = array_map('valiMySQLInput_2', $_POST); $_GET = array_map('valiMySQLInput_3', $_GET); $_POST = array_map('valiMySQLInput_3', $_POST); $_GET = array_map('valiMySQLInput_4', $_GET); $_POST = array_map('valiMySQLInput_4', $_POST); $_GET = array_map('valiMySQLInput_5', $_GET); $_POST = array_map('valiMySQLInput_5', $_POST); $_GET = array_map('valiMySQLInput_6', $_GET); $_POST = array_map('valiMySQLInput_6', $_POST); $_GET = array_map('valiMySQLInput_7', $_GET); $_POST = array_map('valiMySQLInput_7', $_POST); $_GET = array_map('valiMySQLInput_8', $_GET); $_POST = array_map('valiMySQLInput_8', $_POST); $_GET = array_map('valiMySQLInput_9', $_GET); $_POST = array_map('valiMySQLInput_9', $_POST); } can someone more experienced say if that makes sense, ord if i should do something else? is there anything i am missing concerning security issues of this kind? thanks for answers on this. best trom Quote Link to comment Share on other sites More sharing options...
tromton Posted December 20, 2007 Author Share Posted December 20, 2007 was this a stupid question? ??? i would really appreciate if somone could give me a hint... Quote Link to comment Share on other sites More sharing options...
adam291086 Posted December 20, 2007 Share Posted December 20, 2007 As you are hard coding the url type it is impossible for the user to change it. The only way to change the url is to get access to your php files. Edit them and re upload them. Php runs server side. So if they went to view the source they will only see the variable value and not the php code. Quote Link to comment Share on other sites More sharing options...
tromton Posted December 20, 2007 Author Share Posted December 20, 2007 ??? i dont understand what you where saying. :-\ the url was just an example for an sql injection. it is clear to me how php works. ive replaced now the function with the following: function valiMySQLInput() { global $_GET, $_POST; $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); } this function is called on top of my script. because the site doesent save anything to the database, but is only there to display content from the database and iam not using any special chars as get values, i think itll work with this function. as far as i understand it should now escape every post an get value, so the values that are actually implemented into a sql query are not able to inject any additional sql code. am i right so far? thanks for your help. best t Quote Link to comment Share on other sites More sharing options...
adam291086 Posted December 20, 2007 Share Posted December 20, 2007 people can enter information into a form that could drop all your database tables, therefore you are corrent to use $_POST = array_map('mysql_real_escape_string', $_POST); but i dont think you can edit a url with sql command to drop everything. If you change your url to something radom it wont point to your php file that edits the database and therefore wont effect you. Quote Link to comment Share on other sites More sharing options...
tromton Posted December 20, 2007 Author Share Posted December 20, 2007 no no. i dont want to change my url. as i said: i will call the function on TOP of the script. this means, all passed through get variables, that wil be used in the script will be escaped before they can touch any sql query. this will not change anything to my url. i dont quite understand what you are talking about, sorry :-\ thanks for your help anyways. best t Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.