Geek Answers Handbook

How to clear a string to avoid SQL injection and the most common types of attacks? (in PHP)

Is there a way to filter the string for SQL injection and the most common forms of attack as little code as possible?

In my scripts I use the following, I would like to know how safe it is and if anyone has a suggestion:

$cleanName = htmlspecialchars(addslashes($dirtyName));

See how I filtered it for both html characters and quotes and double quotes.

NOTE. I use addslashes() , not mysql_real_escape_string() , because I don’t want to hardcode the database that I use in my code.

This is normal?

Thank you in advance

+2
source share
4 answers

Probably not ... you need to avoid your source code for each purpose for which you are going to use it separately:

  • For GET requests, use urlencode .
  • Use htmlentities for HTML htmlentities .
  • To invoke the system command, use escapeshellcmd .
  • To pass arguments to a command through system : use escapeshellargs .
  • To pass a database parameter: use mysql_real_escape_string .

There is no “one-stop” solution for magically elusive text. Keep the raw text inside and avoid it for the purpose.

+5
source

Unless you mind re-encoding your connection and a couple of extra lines of code, you cannot defeat PDO for security. It uses a C server to prepare and execute your mysql queries. So instead of concatenating strings, you get predefined sections in the query, which should be an XYZ value. One of the guys here at stackoverflow explained this as follows:

Imagine a stand for a hot dog. You go to the rack for a hot dog and say that I need a hot dog with 3 fillings. Ketchup, mustard, and we will let another random stranger tell us about the third victory. The sql injector can stand up and say: “Ketchup, mustard and“ give me all the money in the box. ”Standard concat requests have no way to determine that this is an invalid answer and, therefore, pass the requested. In the prepared statement they will answer:“ I don’t have seasonings, "give me all the money in the box."

The reports prepared by PDO are essentially evidence of injection. You still have other vulnerabilities like cookie / session hijacking etc. But at least the injection is not in the table.

+1
source

Do not rain at the Kerrek parade, but there is one, relatively universal solution. I use the following and always worked:

$safe_value = mysql_real_escape_string( strip_tags( trim( $value ) ), $db_connection ); // This is if you aren't storing any html tags

$safe_value = mysql_real_escape_string( html_entities( trim( $value ) ), $db_connection ); // This is if you are storing html tags

Hope this helps.

0
source

If you know exactly what type of input you expect, it is better to use preg_replace () if you know that you expect only an alpha number:

 <?php if (isset($_GET['page'])) { $page = preg_replace('/[^a-z0-9]/', '', $_GET['page']); include_once($includeDir.'/'.$page.'.php'); } ?>

The above should prevent all attacks performed via GET or POST, but assumes that you expect only alphanumeric input. Well, basically I meant a directory traversal attack, but if you use the GET variable to query the database or display it as an html object, this should prevent any attack. A http: //mydomain.tld? Index.php? Page = .. / .. / etc / passwd the request will not read your passwd file from your site / var / www root, but will try to include the etcpasswd.php file in it file

-1
source

More articles:


All Articles