Jump to content

security: validate post and get varis for mysql query


Recommended Posts

hello all,

 

ive been wondering latley if someone could change a get variable, so he can change a sql statement that way, that he could delete data from my database.

the following ive thought of:

 

$sql = "select * from test where id = '".$_GET['someinput']."'";

.....

 

so if someone would change the url from

http://test/index.php?someinput=123

to something like

http://test/index.php?someinput=123'; delete from test where '1

i thought he might be able to empty my database or do even worse things.

 

so my idea was to generally search for keywords in the post and get data, so things like that are not possible anymore.

 

iv done the following function, that i will put on top of every file, that includes the conncetion files for the database:

 

function valiMySQLInput_1($getinp){	return str_ireplace("'","",$getinp); }
function valiMySQLInput_2($getinp){	return str_ireplace("\"","",$getinp); }
function valiMySQLInput_3($getinp){	return str_ireplace(",","",$getinp); }
function valiMySQLInput_4($getinp){	return str_ireplace(";","",$getinp); }
function valiMySQLInput_5($getinp){	return str_ireplace("(","",$getinp); }
function valiMySQLInput_6($getinp){	return str_ireplace(")","",$getinp); }
function valiMySQLInput_7($getinp){	return str_ireplace("FROM","",$getinp); }
function valiMySQLInput_8($getinp){	return str_ireplace("LIKE","",$getinp); }
function valiMySQLInput_9($getinp){	return str_ireplace("WHERE","",$getinp); }

function valiMySQLInput()
{
global $_GET, $_POST;
//make get and post input secure for db useage
if (!get_magic_quotes_gpc())
{
 $_GET = array_map('addslashes', $_GET);
 $_POST = array_map('addslashes', $_POST);
}
$_GET = array_map('valiMySQLInput_1', $_GET);
$_POST = array_map('valiMySQLInput_1', $_POST);
$_GET = array_map('valiMySQLInput_2', $_GET);
$_POST = array_map('valiMySQLInput_2', $_POST);
$_GET = array_map('valiMySQLInput_3', $_GET);
$_POST = array_map('valiMySQLInput_3', $_POST);
$_GET = array_map('valiMySQLInput_4', $_GET);
$_POST = array_map('valiMySQLInput_4', $_POST);
$_GET = array_map('valiMySQLInput_5', $_GET);
$_POST = array_map('valiMySQLInput_5', $_POST);
$_GET = array_map('valiMySQLInput_6', $_GET);
$_POST = array_map('valiMySQLInput_6', $_POST);
$_GET = array_map('valiMySQLInput_7', $_GET);
$_POST = array_map('valiMySQLInput_7', $_POST);
$_GET = array_map('valiMySQLInput_8', $_GET);
$_POST = array_map('valiMySQLInput_8', $_POST);
$_GET = array_map('valiMySQLInput_9', $_GET);
$_POST = array_map('valiMySQLInput_9', $_POST);

}

 

can someone more experienced say if that makes sense, ord if i should do something else? is there anything i am missing concerning security issues of this kind?

 

thanks for answers on this.

 

best

 

trom

As you are hard coding the url type it is impossible for the user to change it. The only way to change the url is to get access to your php files. Edit them and re upload them. Php runs server side. So if they went to view the source they will only see the variable value and not the php code.

??? i dont understand what you where saying.  :-\

 

the url was just an example for an sql injection. it is clear to me how php works. ;)

 

ive replaced now the function with the following:

 

function valiMySQLInput()
{
global $_GET, $_POST;
$_GET = array_map('mysql_real_escape_string', $_GET);
$_POST = array_map('mysql_real_escape_string', $_POST);	
}

 

this function is called on top of my script.

 

because the site doesent save anything to the database, but is only there to display content from the database and iam not using any special chars as get values, i think itll work with this function.

as far as i understand it should now escape every post an get value, so the values that are actually implemented into a sql query are not able to inject any additional sql code.

 

am i right so far?

 

thanks for your help.

 

best

 

t

 

people can enter information into a form that could drop all your database tables, therefore you are corrent to use

 

$_POST = array_map('mysql_real_escape_string', $_POST);	

 

but i dont think you can edit a url with sql command to drop everything. If you change your url to something radom it wont point to your php file that edits the database and therefore wont effect you.

no no. i dont want to change my url. as i said: i will call the function on TOP of the script. this means, all passed through get variables, that wil be used in the script will be escaped before they can touch any sql query.

this will not change anything to my url.

 

i dont quite understand what you are talking about, sorry  :-\

 

thanks for your help anyways.

 

best

 

t

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.