Home page logo

basics logo Security Basics mailing list archives

Re: PHP filter function against SQL injections
From: Nic Stevens <nic.stevens () gmail com>
Date: Sat, 10 Feb 2007 07:35:36 -0800

Although PHP is a typeless language it's possible to cast variables to ints or floats. If your form is sending integers cast them to integers. This should not, however, be the only line of defense. The form should validate it's own input via javascript. e.g., (if (form.field.value <= 0 || form.field.value >= arbitrary_limit) return false;)

If you're using strings you should also decode them from embedded url encoded data with urldecode() e.g., str = urldecode(str). This will convert embedded hexcoded characters.

I would suggest, though, using data filtering on the form using javascript as your first line of defense. If you're accepting a string, for example, only allow valid characters to be placed in the form field. (I don't know the event handler syntax off hand but I know it can be done)

Good luck,

jeffrey rivero wrote:
what if a must be an integer and not a string ?

Kellox wrote:
well, that does only work if the variable is not included between two single quotes.


$sSql .= " where a = ". '$var';

in your code snippet. if you would inject or 1=1 in this case, the string would be

where a = 'or 1=1', which actually is a string but not a sql command.

jeffrey rivero wrote:
Good Questions
ok for the
1.Single and double-quotes will be escaped by the function call mysql_escape_string(). yep but what i am passing does not have " or ' in them think more like or 1 = 1 and assume that your var is a number
so the injections would look like

$sSql = "select a,b,c ";
$sSql .= "from Table_1";
$sSql .= " where a = ".$var;
now if $var was lets say "1 or 1 = 1"
your resulting injection string would be
select a,b,c from Table_1 where a = 1 or 1 = 1
which might now be what you want

2. union injection ??
3. not sure will a post command still do a url encode ?? anyone ?

Kellox wrote:

Thx for your information so far.

Jeffrey Rivero wrote:
 > how about something like
 > " or 1 = 1"
 > ??

Single and double-quotes will be escaped by the function call mysql_escape_string().

jeff () downtowndevelopmentplan com wrote:
> Don't forget that the best way to sanitize incoming data is to only allow > known-good input. Attempting to filter against a list of bad characters has > historically proven itself futile. Rewrite your function to only allow the
 > characters that your application expects.
 > -Jeff

Actually I always use your recommended whitelist approach. but since this filter function is part of a review I'm doing at the moment, I was asking the question about a possible SQL injection attack.

Pete Pinter wrote:
> Won't hex encoded strings get through? You might want to check out this
 > link:
 > http://www.securityfocus.com/infocus/1768
 > Cheers,
 > /p2

As I can see hexencoded strings will also be filtered by the function mysql_escape_string(). For example %27 will be converted into the ASCII-character ' and then it will be escaped by \ resulting it into \'. So hexencoded strings can't bypass this filter, can they?


Koen Bossaert wrote:
You probably also don't want * and %.
You can also make use of prepared statements or stored procedures
against SQL Injection.


On 2/7/07, Kellox <kellox () mymail ch> wrote:
hi everyone!

i was just wondering if this filter function written in php is safe against
sql injections:

function filter($string) {
  $replace = "";
  $search = array(">", "<", "|", ";");
$result = mysql_escape_string( str_replace($search, $replace, $string));
  return $result;

or could anyone imagine an sql injection attack which bypasses this filter

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]