Jump to content
xisto Community
Daehawk

Best Way To Stop Sql Injections sql injection

Recommended Posts

SQL Injection occurs via an input form (like a login), where the form accepts special characters (like !@#$%^ etc..). One of the easiest/best ways to prevent such a compromise is to disallow any special characters and force users to only use alphanumeric values when supplying input via a web-form (abc...123...).

Even spaces should be considered invalid, since SQL injection involves the use of an SQL statement containing spaces to seperate keywords (select * from [table]).

 

Also, you should use a URL Decoding method before validating the input, that way a %20 would get converted to a space, and filtered out (as well as any other invalid encoded characters).

 

Doing that should thwart about 95% (if not 100%) of any SQL Injection techniques...

Share this post


Link to post
Share on other sites

Create some function that strips the bad chars from the $vars, like |'"@!& you know. Or use some function that already exists, stripslashes for example. But do NEVER let $vars which will be in sql functions without any kind of "preparation" or it will be easy to maniulate the database. Be careful.

Share this post


Link to post
Share on other sites

Create some function that strips the bad chars from the $vars, like |'"@!& you know. Or use some function that already exists, stripslashes for example. But do NEVER let $vars which will be in sql functions without any kind of "preparation" or it will be easy to maniulate the database. Be careful.

150656[/snapback]

is there a function in php which will let only accept alphabet letters and numbers?.

Share this post


Link to post
Share on other sites

What I do is create an array of characters that I allow (Letters, numbers, spaces and/or underscores). Then I replace all those with "", and if there's still stuff in the string (if($str != "")) then I kill the script and prompt for a new string.

Share this post


Link to post
Share on other sites

Share this post


Link to post
Share on other sites

PHP to allow only letters/numbers:

function isAlphaNumeric( $szInput ){    return (bool) preg_match( '/^[a-zA-Z0-9]$/', $szInput );}// usage:if( isAlphaNumeric( 'mystring123' ) ){    // valid}else{    // invalid}

I hope that helps!

Share this post


Link to post
Share on other sites

I don't think that there's a premade function, but you can write one, it's not that hard considering there's a function that checks if something is alphanumeric.

function is_alphanum($str) {        if(ctype_alnum($str)) {                return true;        } else {                return false;        }}
Then you just do something like

if(is_alphanum($text)) {        echo "Alphanumeric";} else {        echo "Not alphanumeric";}
Or you could just skip the function step, but whatever.

 

I apologize if there's something wrong with this post, I have to connect to Trap non-graphically through my school because I can't load it on my home connection.

Share this post


Link to post
Share on other sites

Thanks for all the posts. This will help me alot with things. Yeah I had wondred where this post went after I posted it cause I couldn't find it then...boom there it is. Yay. I'm gonna save everything all of you posted to a word pad document to get to faster without having to log into here when I am off working on coding my game.

Share this post


Link to post
Share on other sites

Another suprisingly simple tehnique is to name databases and tables with random names. For example people often look for a database called forum or phpbb etc. to inject a phpBB forum. If you use weird names it can be a last line of defence if they get through the script.

Share this post


Link to post
Share on other sites

PHP to allow only letters/numbers:

 

function isAlphaNumeric( $szInput ){    return (bool) preg_match( '/^[a-zA-Z0-9]$/', $szInput );}// usage:if( isAlphaNumeric( 'mystring123' ) ){    // valid}else{    // invalid}

I hope that helps!

152332[/snapback]

Where did you get this code? And how did you learn to use preg function and the ereg function?

Share this post


Link to post
Share on other sites

You can make your own checking function to strip strange characters and quotation marks, but you might as well use the excellent PEAR DB functions for just that issue. And Xisto has PEAR installed, so you don't have to worry about that either.

Just use the prepare() and execute() functions like so:

<things you want to do here>	require_once("PEAR.php");	require_once("DB.php");	PEAR::setErrorHandling(PEAR_ERROR_DIE, "Aaaaargh! Error: %s");	$conn = DB::connect("mysql://username:password@localhost/databasename");	$preparedstatement = $conn->prepare('INSERT INTO tablename (field1, field2, field3, field4) VALUES (?, ?, ?, ?)');	$data = array($variable1, $variable2, $variable3, $variable4);	$conn->execute($preparedstatement, $data);}

You will obviously have to change usernames/passwords/db name and set the variables and change table and field names to whatever you are using. :P

And if it's a guestbook or forum like thing you might want to do something like:
$variable=htmlspecialchars($_POST['variable'], ENT_QUOTES);
to set HTML entitys.


PEAR is a bunch of PHP packages with all sorts of handy functions. You can get more info about PEAR at pear.php.net and more about the PEAR DB package and how to use it here.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.