Home page logo

basics logo Security Basics mailing list archives

Re: PHP filter function against SQL injections
From: Kellox <kellox () my-mail ch>
Date: Thu, 08 Feb 2007 13:31:08 +0100


Thx for your information so far.

Jeffrey Rivero wrote:
> how about something like
> " or 1 = 1"
> ??

Single and double-quotes will be escaped by the function call mysql_escape_string().

jeff () downtowndevelopmentplan com wrote:
> Don't forget that the best way to sanitize incoming data is to only allow > known-good input. Attempting to filter against a list of bad characters has > historically proven itself futile. Rewrite your function to only allow the
> characters that your application expects.
> -Jeff

Actually I always use your recommended whitelist approach. but since this filter function is part of a review I'm doing at the moment, I was asking the question about a possible SQL injection attack.

Pete Pinter wrote:
> Won't hex encoded strings get through? You might want to check out this
> link:
> http://www.securityfocus.com/infocus/1768
> Cheers,
> /p2

As I can see hexencoded strings will also be filtered by the function mysql_escape_string(). For example %27 will be converted into the ASCII-character ' and then it will be escaped by \ resulting it into \'. So hexencoded strings can't bypass this filter, can they?


Koen Bossaert wrote:
You probably also don't want * and %.
You can also make use of prepared statements or stored procedures
against SQL Injection.


On 2/7/07, Kellox <kellox () mymail ch> wrote:
hi everyone!

i was just wondering if this filter function written in php is safe against
sql injections:

function filter($string) {
  $replace = "";
  $search = array(">", "<", "|", ";");
$result = mysql_escape_string( str_replace($search, $replace, $string));
  return $result;

or could anyone imagine an sql injection attack which bypasses this filter

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]