Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Regular Coder Troy297's Avatar
    Join Date
    Oct 2006
    Location
    Earth
    Posts
    314
    Thanks
    10
    Thanked 0 Times in 0 Posts

    Lightbulb Protecting Against MySQL Injection

    Hi Everyone,

    I'm making a new version of my Radio DJ Panel and I am currently in the process of completing all the core functions and that kind of fun stuff. So I obviously need a strong clean() function to protect against any sort of MySQL Injection to maintain the security of the script. So here's what I have so far... anyone see any problems with this or ways it could be improved?

    PHP Code:
    <?php
    function clean($string$what ''){
        
    // Filter bad words
        
    $filter explode(','settings('filterwords'));
        foreach(
    $filter as $word){
            
    $string preg_replace('/'.$word.'/i'settings('filterreplace'), $string);
            return 
    $string;
        }
        
    // Filter MySQL comments and stuff
        
    $string str_replace('#''& #35;'$string);
        
    $string str_replace('--''& #45;-'$string);
        
    $string str_replace('/*''& #47;*'$string);
        
    $string str_replace('*/''& #42;/'$string);
        
    $string str_replace('"''& #34;'$string);
        
    $string str_replace('`''& #96;'$string);
        
    $string str_replace("'"'& #39;'$string);
        
    $string str_replace(';''& #59;'$string);
        
    $string mysql_real_escape_string($string);
        
    // Add or strip slashes (based on magic_quotes)
        
    if(get_magic_quotes_gpc()){
            
    $string stripslashes($string);
        }else{
            
    $string addslashes($string);
        }
        
    // General cleaning
        
    if($what == null){
            
    $string htmlspecialchars($string);
            
    $string htmlentities($string);
            
    $string nl2br($string);
        
        
    // Notes cleaning
        
    }elseif($what == "notes"){
            
            
        
    // Login cleaning
        
    }elseif($what == "login"){
            
    $string substr($string030);
        }
        return 
    $string;
    }
    ?>
    I've protected against basically all that I could think of but am I going overboard (I'm a little paranoid after some previous mishaps)...

    All comments are welcome. Thanks!
    Last edited by Troy297; 03-15-2008 at 04:10 AM. Reason: Updated PHP code
    Everyone hears what you say, friends listen to what you say, best friends listen to what you don't say.
    Radio DJ Panel v3 - It's Here!

  • #2
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,638
    Thanks
    2
    Thanked 404 Times in 396 Posts
    PHP Code:
        $string str_replace('#''#'$string);
        
    $string str_replace('--''--'$string);
        
    $string str_replace('/*''/*'$string);
        
    $string str_replace('*/''*/'$string);
        
    $string str_replace('"''"'$string);
        
    $string str_replace('`''`'$string);
        
    $string str_replace("'"''', $string); // <-- syntax error
        $string = str_replace('
    ;', ';, $string); 
    Every one of those does nothing, or more specifically takes the input and replaces it with the same thing. If you just want to remove those things you can do this:
    PHP Code:
    $replace = array('#''--''/*''*/''"''`''\''';');
    $string str_replace($replace''$string); 

  • #3
    Regular Coder Troy297's Avatar
    Join Date
    Oct 2006
    Location
    Earth
    Posts
    314
    Thanks
    10
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Inigoesdr View Post
    Every one of those does nothing, or more specifically takes the input and replaces it with the same thing.
    Sorry, that was my bad.. It actually takes it and replaces it with the HTML special character representation (# = '& # 35 ;' minus the spaces). I guess the forum replaced all the HTML character representations with the actual output... that would be why it appears I'm replacing something with itself...

    Since I can't edit my earlier post would all future respondants please keep the above in mind when replying, thanks
    Everyone hears what you say, friends listen to what you say, best friends listen to what you don't say.
    Radio DJ Panel v3 - It's Here!

  • #4
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,638
    Thanks
    2
    Thanked 404 Times in 396 Posts
    Quote Originally Posted by Troy297 View Post
    Sorry, that was my bad.. It actually takes it and replaces it with the HTML special character representation (# = '& # 35 ;' minus the spaces). I guess the forum replaced all the HTML character representations with the actual output... that would be why it appears I'm replacing something with itself...
    Ah, that makes more sense. Why not use htmlentities()?
    Quote Originally Posted by Troy297 View Post
    Since I can't edit my earlier post would all future respondants please keep the above in mind when replying, thanks
    Why can't you edit your post?

  • #5
    Regular Coder Troy297's Avatar
    Join Date
    Oct 2006
    Location
    Earth
    Posts
    314
    Thanks
    10
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Inigoesdr View Post
    Ah, that makes more sense. Why not use htmlentities()?
    I did implement htmlentities() but I've set it up so it only happens when you're cleaning certain types of inputs so that it won't mess up the format of certain fields.

    Quote Originally Posted by Inigoesdr View Post
    Why can't you edit your post?
    Ah nevermind, I don't remember being able to edit my own posts after 5-10 minutes I think it was.... anyway, all's good now.
    Everyone hears what you say, friends listen to what you say, best friends listen to what you don't say.
    Radio DJ Panel v3 - It's Here!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •