Re: Protecting MySQL Injection from PHP form

Also, you should be checking against type (expecting a number? a boolean
value? a string?) and then checking against expected length requirements
(such as firstname can only be 80 characters long max, so maybe check for

<code>
if (strlen($var) > 80) {
do something;
}
</code>

In unit testing, you build your objects first against types and perform
object checks using type verification and expected element attributes (such
as length, non-null values, etc...). If someone is posting a string of 8000
letters into a field that is supposed to contain a number two letters long,
before it is stored, maybe you manage that...

On 5/24/07, Jared Farrish <farrishj@xxxxxxxxx> wrote:

I'm not sure exactly what kind of sanitization you think you're doing, but
if all you do is check to see if it's empty (empty() implements isset(),
empty() checks to see if it's set, then if it evaluates to an empty
variable), that's not much sanitization.

What you need to do is check for SQL injections, which means you need to
sanitize GPC (GET, POST, COOKIES) to prevent the following (only a
demonstration):

SELECT `colname` FROM `tablename` WHERE id='$variable' LIMIT 0,10

What happens if $variable is equal to:

$variable = $_POST['somedata'];

And $_POST['somedata'] ~ " 'INSERT INTO users
VALUES('name','password','AdminGroup')' ";

This is an example of a possible SQL injection (which means unknown SQL
code is running through your script access). The way to prevent this is to
escape single quotes before insert/select, and also turn all html entities
into escaped values (so that someone cannot put a <script></script> block
into the signature for their user, for example).

The good thing is, there are numerous help sites online that describe how
to do this. Generally, you're better off wrapping your SQL commands into a
class or at least a series of functions, so that you can implement your
sanitization once and use it for all database interactions.

Google: http://www.google.com/search?q=php+sanitize+sql+statement
PHP.net: http://www.php.net/manual/en/security.database.sql-injection.php

--
Jared Farrish
Intermediate Web Developer
Denton, Tx

Abraham Maslow: "If the only tool you have is a hammer, you tend to see
every problem as a nail." $$




--
Jared Farrish
Intermediate Web Developer
Denton, Tx

Abraham Maslow: "If the only tool you have is a hammer, you tend to see
every problem as a nail." $$

Relevant Pages

  • RE: Date calculations and daylight saving
    ... If you're expecting it to be ... >> string to seconds and then localtime and strftime to ... We get penalised if we pass this target completion time so the script ... > the local time to GMT, which is a function of the time zone. ...
    (perl.beginners)
  • Re: Its later than you think.....
    ... I realize I'm the 'half empty' guy in this conversation but I would be ... Their starting pitching is beginning to turn around. ... expecting a big fall off there. ... NYY has had a disaster with its SP and its BP sucks, ...
    (alt.sports.baseball.bos-redsox)
  • Re: Static typing aint so bad, after all...
    ... The problem is that dynamic typing, while very powerful, also hid the ... type the method was expecting. ... the answer to this is simply better documentation. ... that it's a (string or an object that should be able to ducktyped to a ...
    (comp.lang.ruby)
  • Re: [opensuse] Update fails on 10.2
    ... I returned to the orange ikon, expecting it to be empty. ... No mono or mozilla related. ...
    (SuSE)
  • Re: Zoidberg says it is OK to rip people off on ebay by selling empty boxes
    ... I was expecting no such claim. ... The only one I can think of is the buyer of the camera box. ... This whole empty box scam only came to light as a result of correcting ... There would have been no point gathering evidence of a lie if no lie ...
    (uk.people.consumers.ebay)