does this look like it could stop an sql injection?

$injections = array ('DELETE', 'SELECT', 'INSERT INTO', 'UPDATE', 'DROP', '*', '$', '|', '!', '`', '(', ')', '<', '>', '%', '"', '£', '^', '&', '-', '_', '=', '+', '[', ']', '{', '}', '?', '#', '~');

if (!empty($injections) && is_array($injections)){
for ($i=0; $i < count($injections); $i++)
{
$pos = strpos($password $injections[$i]);
if ($pos === false) {
} else {
$injectfound = $injections[$i];
}

}
}

if ($injectfound <>''){
$injectfound = 'Please remove : ( <span class="bld2">'.$injectfound.'</span> ) from your submition!';
$injerr ='1'; $ok= '1';
echo '<p class ="notok">'.$injectfound.'!</p><p>This protects us from Hacking!</p>';
}

Cheers guys...
I would use mysql_real_escape_string but I cant seem to get it working . would the code above would sufficiently?:thumbsup:

That methodology will not work and will greatly annoy your users in the course of its failure to work.

mysql_real_escape_string() functions just fine and is the correct way to do this. It'd be a much better idea to post asking for help with your issues concerning it.

A Fair Point...

to include an escape string.... where would and how would i insert it into this code to stop an sql injection

$email = $_REQUEST['email'];// users email address
require('connections/connect.php');
$query ="INSERT INTO user (email) VALUES ('$email')";
$result = mysql_query ($query); // Run the query

cheers 4 your help

:thumbsup:

My recommendation:


require('connections/connect.php');
$email = $_REQUEST['email'];
$email = mysql_real_escape_string($email);
$query = "INSERT INTO user (email) VALUES ('$email')";
$result = mysql_query($query);


I prefer to pass around the DB handle to the various mysql functions rather than relying on the default (it'd be the second argument to mysql_real_escape_string() if we were doing that), but I can't see what your connections/connect.php uses (if anything), so I've skipped that.

I found an example of an sql injection:

anything' OR 'x'='x

when entered into the form (email) and submitted, the database was updated with this:

anything\\\' OR \\\'

has that worked ok?

Code that would produce the results you describe would appear to prevent SQL injection (is there a max length being applied that made it stop at the second quote?), but it looks like it's being escaped twice. If you aren't actually applying an escape function twice, that probably means you have magic_quotes_gpc on, which is evil and must be destroyed; cf. http://usphp.com/manual/en/security.magicquotes.disabling.php. If you can't turn it off at the server level, that URL has information on how to emulate disabling it at the script level.

I got my hosts to turn off "magic_quotes_gpc "

now the escape string seems to be unable to stop the injection:(

this is my connect.php file:
<?
DEFINE ('DB_USER', '********');
DEFINE ('DB_PASSWORD', '********');
DEFINE ('DB_HOST', '********');
DEFINE ('DB_NAME', '********');
/* connect */
$dbc = mysql_connect (DB_HOST, DB_USER, DB_PASSWORD) OR die ('Could not Connect to MySQL: ' . mysql_error() );
/* select the data base */
mysql_select_db (DB_NAME) OR die ('Could not select the Database: ' . mysql_error() );
?>

:mad::mad::mad:

Please post the current code that is doing the insert and has the escaping in it.

require('connections/connect.php');
$tag = mysql_real_escape_string($tag);
$query ="INSERT INTO tag (type, status, date, name, email, yourtag, url, description, fontsize, fontc, borderc, backc, price, paid, ip_add) VALUES ('2', '2', NOW(), '$name', '$email', '$tag', '$url', '', '$fontsize', '$fontc' , '' , '$backc', '$totalcost' , '0', '$ip' )";

echo $query;
$result = mysql_query ($query); // Run the query

You should escape each string that's going into mysql, not just $tag.

I will give that a go...
Is that what is causing the problem or is it just good coding?:thumbsup:

It's good coding, and it may be what's causing your problem, if the field you're putting your injection code in isn't $tag.

ive changed all the strings to mysql_real_escape_string

anything' OR 'x'='x still enters the data base as:

anything' OR 'x'='x

New code:

/* Connecting to the Data Base*/
require('connections/connect.php');
$name = mysql_real_escape_string($name);
$email = mysql_real_escape_string($email);
$tag = mysql_real_escape_string($tag);
$url = mysql_real_escape_string($url);
$fontsize = mysql_real_escape_string($fontsize);
$fontc = mysql_real_escape_string($fontc);
$backc = mysql_real_escape_string($backc);
$totalcost = mysql_real_escape_string($totalcost);
$ip = mysql_real_escape_string($ip);
$query ="INSERT INTO tag (type, status, date, name, email, yourtag, url, description, fontsize, fontc, borderc, backc, price, paid, ip_add) VALUES ('2', '2', NOW(), '$name', '$email', '$tag', '$url', '', '$fontsize', '$fontc' , '' , '$backc', '$totalcost' , '0', '$ip' )";

$result = mysql_query ($query); // Run the query

it will enter the database as that, that's the whole point of escaping it. If it wasn't escaped, your query would error.

ah right... thats ok:thumbsup:

when I remove the mysql_real_escape_string:

anything' OR 'x'='x enters the database as : 1

does that sound about normal ?

Also I take it that mysql_real_escape_string should be added to all sql queries not just an input!

Are there any other commands which I could use to stop hackers pratting around with my website & database...htmlspecialchars for example or does mysql_real_escape_string do the full monty ?

:confused:

anything' OR 'x'='x enters the database as : 1

does that sound about normal ?

Yes, as the query will end up looking like:

INSERT INTO foo(bar) VALUES ('anything' or 'x'='x');

and so the value to be inserted will be a boolean which, when cast to a string, will show as '1'.

mysql_real_escape_string should be applied to all user input that's going into the database. htmlspecialchars won't help with that.

Youve been a great help...

I think ive been looking at this from the wrong angle (complete novice angle)..
when I first researched mysql_real_escape_string I believed it stripped a $string of its DODGY content allowing it to pass safely into the database.

EG. anything' OR 'x'='x would become
something like:anythingORxx ...

obviously I can see that this is not the case.

1 quick question.. What kind of reaction is going to occure when hackers INJECT??? are they trying to create an error which displays sensative information?

Anyway... thanks a bundle for your time...:thumbsup::thumbsup::thumbsup:

:)......

They could do that or if your query returns something they could try to return what they want from the database or even try to insert into it. Luckily mysql_query() in php only allows one query. Queries in mysql are separated by a ; (semi-colon) but mysql_query picks up on this and doesn't run the query.