Topic: How do you clean your variables?

In order to avoid sql injections?

i use magic quotes, and for numerical values check if they really are numerical.

does anybody uses a list of stopwords or something for string variables?

Re: How do you clean your variables?

Err... AFAIK, there are only a couple of possible SQL injects, and those should all be prevented by what you're doing.

// A numeric inject
$string = "5; DROP TABLE users";
// When you don't run intval() on this (which returns the first numeric value in the string or 0) you'll have an inject.
mysql_query("SELECT * FROM hello WHERE id = ".$string);

// A string inject
$string = "hello '; DROP TABLE users";
// When you don't run mysql_real_escape_string() or similar you'll have an inject
mysql_query("SELECT * FROM hello WHERE name = ".$string);

These should be the most important ones tongue
I hope it helps.

Re: How do you clean your variables?

Bekko: Both of your examples wouldn't actually inject anything (only mysqli_multi_query allows multiple SQL statements). You would have to use a UNION instead.
However, what you said is right: intval numbers, $db->escape strings (where people could put 's or "s in) and you're good smile

Re: How do you clean your variables?

Have you read this article yet? smile

Re: How do you clean your variables?

Indeed Smartys, but some other database systems might do it otherwise. I think you can do multiple queries when using odbc by default (not sure tho).

Re: How do you clean your variables?

Ok, something concrete:

how do you protect from a injection like this one you pointed at this post, if you have a string var instead of a number?

Re: How do you clean your variables?

$thingy = intval('0 union select password from users where id = 2');

$thingy would contain 0.

Re: How do you clean your variables?

If you have a limitied things they can submit, a switch() statement is pretty solid aswell.

Re: How do you clean your variables?

elbekko. You didn't understand me. In that case you are cleaning a variable that is suposed to be an intiger. I am talking about variables that are suposed to be strings, like search keywords and stuff. How do you clean a string in order no to hapen the kind of injection smartys pointed in the topic i linked?

Re: How do you clean your variables?

$thingy = mysql_real_escape_string('whatever code, var, thingy in here');

11

Re: How do you clean your variables?

Can someone explain to me why mysql_real_escape_string uses a mysql connection handle? I don't quite get it!

Many thanks,

Phil

Re: How do you clean your variables?

According to the PHP manual, it's for detecting the current text encooding used wink

Re: How do you clean your variables?

Ok... there is something on php.net that makes me think...

they sugest using mysql_real_escape_string()...If not consider addslashes.
Now... acording on what smartys told me here http://punbb.org/forums/viewtopic.php?pid=83488#p83488 , one should ALLWAYS use mysql_real_escape_string in order to be safe as addslashes doesnt protect against everything.

Am i right or did i forgot something?

Re: How do you clean your variables?

As long as you're not inserting binary data (such as images) into the database, addslashes() will do fine.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: How do you clean your variables?

Rickard wrote:

As long as you're not inserting binary data (such as images) into the database, addslashes() will do fine.

I'm afraid you let me even more confused... in the message i pointed just above smartys says the oposite sad

though he is talking about mysql_magic_qutes directive.

Re: How do you clean your variables?

magic_quotes is evil. In my opinion, it causes more problems than it solves. In PunBB, we check if magic_quotes_gpc is on and if it is, we run stripslashes() on everthing in $_GET, $_POST and $_COOKIE. Now we know that stuff hasn't been escaped. We then run the database specific escape function before we insert it into the database. If PunBB only supported MySQL, we could just as well run addslashes(), but addslashes causes some problems with SQLite or PostgreSQL (can't remember which).

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: How do you clean your variables?

Rickard wrote:

magic_quotes is evil. In my opinion, it causes more problems than it solves. In PunBB, we check if magic_quotes_gpc is on and if it is, we run stripslashes() on everthing in $_GET, $_POST and $_COOKIE. Now we know that stuff hasn't been escaped. We then run the database specific escape function before we insert it into the database. If PunBB only supported MySQL, we could just as well run addslashes(), but addslashes causes some problems with SQLite or PostgreSQL (can't remember which).

SQLite appears to be the one with issues, but PostgreSQL has a comment which seems to suggest addslashes is a bad idea as well
And as for why addslashes isn't a good choice as opposed to a DB specific one (for MySQL, in this case): http://shiflett.org/archive/184

Re: How do you clean your variables?

ok... i will insist...
smartys... you said yourself that no slashes are necessary to perform an injection. Knowing this, how can a adslashes be enough?

Re: How do you clean your variables?

pedrotuga wrote:

ok... i will insist...
smartys... you said yourself that no slashes are necessary to perform an injection. Knowing this, how can a adslashes be enough?

Yes, if you're expecting an integer and don't use intval or an equivalent function I can perform an SQL inject.
There is no function that will magically make everything safe. You need to know what you're expecting and deal with each type correctly.

Re: How do you clean your variables?

Smartys wrote:
pedrotuga wrote:

ok... i will insist...
smartys... you said yourself that no slashes are necessary to perform an injection. Knowing this, how can a adslashes be enough?

Yes, if you're expecting an integer and don't use intval or an equivalent function I can perform an SQL inject.
There is no function that will magically make everything safe. You need to know what you're expecting and deal with each type correctly.

what if i am expecting a string? can you still perform an inject even if i use addslashes() ?

Re: How do you clean your variables?

http://shiflett.org/archive/184
Yes, depending on the character set you're using. Therefore, it's always a good idea to use mysql_real_escape_string.

Re: How do you clean your variables?

thank you smile