Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    Regular Coder
    Join Date
    Jun 2006
    Location
    UK
    Posts
    922
    Thanks
    302
    Thanked 3 Times in 3 Posts

    Question Data Safe - SQL Injection

    Hi,

    This is an interesting question (in my humble opinion).

    I am trying to create a forum in PHP. So there is a "Post a new Thread" link, clicking on which would open a textarea field for posting a message and a textbox for the "title".

    Now, I dont want ppl to sql inject queries through the textarea or the textbox field.

    So I have created this function for the same.


    Code:
    function dbsafe($data){
    $data = str_replace('select','',$data);
    $data = str_replace('alter','',$data);
    $data = str_replace('delete','',$data);
    $data = str_replace('replace','',$data);
    return $data;
    }

    Now, though the above function would secure my db upto some extent but the only limitation I can see is my members/visitors will not be able to use the words "select","alter","delete","replace" in their threads even though they want use them (not for sql injection purpose).


    So, I had to change my dbsafe function to the following:

    Code:
    function dbsafe($data){
    $data = str_replace('tbl_members','',$data);
    $data = str_replace('tbl_login','',$data);
    $data = str_replace('tbl_details','',$data);
    $data = str_replace('tbl_orders','',$data);
    return $data;
    }
    ok, so now my function would now replace my database tables if the attacker intends to destroy or misuse them using any sql statements.

    Now my question is that:

    1) Which one of the above 2 functions is better you think?
    2) Also, in my second function, is there a way the attacker would hamper my database without using my table names?


    Please guide and help.

    Need your opinion


    Thanx so much in advance

  • #2
    Senior Coder kbluhm's Avatar
    Join Date
    Apr 2007
    Location
    Philadelphia, PA, USA
    Posts
    1,509
    Thanks
    3
    Thanked 258 Times in 254 Posts
    I would use neither. Have a look at mysql_real_escape_string().

  • #3
    New Coder
    Join Date
    Nov 2007
    Location
    Thane-Vashi,Mumbai,India.
    Posts
    44
    Thanks
    3
    Thanked 2 Times in 2 Posts
    You can also use regex or htmlentities()

  • #4
    Senior Coder kbluhm's Avatar
    Join Date
    Apr 2007
    Location
    Philadelphia, PA, USA
    Posts
    1,509
    Thanks
    3
    Thanked 258 Times in 254 Posts
    Quote Originally Posted by Rohan_Shenoy View Post
    You can also use regex or htmlentities()
    No, not the same thing.

  • #5
    Regular Coder
    Join Date
    Aug 2002
    Location
    Oregon, United States of America
    Posts
    882
    Thanks
    1
    Thanked 9 Times in 9 Posts
    You don't need all of these, (only mysql_real_escape_string,) but its good to know about these functions.

    You can use these when inserting into a database:
    mysql_real_escape_string
    strip_tags
    urldecode

    And these when displaying variables that have come out of a database:
    stripslashes
    htmlentities
    If I'm postin here, I NEED YOUR HELP!!

  • #6
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    Or just use prepared statements.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •