protection against script injection

mrgrammar

I've been studying the code from a login script. It has the following lines.

// protection against script injection
$userid = preg_replace('/[^{a-zA-Z0-9]/',} '', $POST['userid']);
$password = preg_replace('/[^{a-zA-Z0-9]/',} '', $POST['password']);

What is the purpose of this technique? Does it make a login session more secure? Is it practical to use?

Brian

pjleonhardt

it is replacing anything that isn't alpha number with ''... so ppl can't put <script> tags or mySQL extraction commands, and other fun stuff thatd mess up your site

LordShryku

More specifically, it's looking for lower(a-z) or upper(A-Z) alpha's, numerics(0-9), and an underscor(_). If anything beyond that is found, it replaces it with ''. As pj said, it's a security measure to ditch tags. Though...it doesn't protect against SQL injection...

drawmack

sure it does, how are you going to inject sql if you can't close a quote on a varchar field?

LordShryku

"show" commands

drawmack

okay lord I've got a sql query like this

insert into users (username,password) values ('$userid','$password')

select from users where username = '$username' and password = '$password'

now you cannot use a ', ", <sp> or ;

so you enter the username and/or password of what to inject a show command?

LordShryku

And how do you know what his SQL looks like? You assume that everyone's SQL is going to be yours. It's not. I'm letting him know that he needs to secure his code. By saying it doesn't cover SQL injection, it may, it may not. But he'll look into it, I'm sure.

drawmack

oh in that case, can you show me the structure of a sql statement that would allow injection with on the letters, numbers and an underscore as input into a varchar, char or text field.

Mind you we know that it must be a field which can accept letters, numbers and the _ so it must be quoted in the sql and you're not allowed to use a character that ends the quote.

I'm not saying you're wrong, I'm saying if you're correct then prove it.

By saying something has a security hole when it doesn't you cause undo concern and panic. This is just as, if not more, harmful then bad code would be. After all it is how MS put Dr. DOS out of business.

LordShryku

Ok, nevermind. You're code is the securest thing ever produced. You should stop worrying about security(that was the original intent of the thread, right).I'm getting sick of hearing drawmack.

laserlight

It does protect against SQL injection, as far as I can tell.

Where it does not protect against SQL injection, it means that the programmer carelessly didnt use single quotes to enclose incoming variables.
In that case, normal data is likely to produce an error anyway.
Even then, such an exploit is likely to be minimal.

drawmack

Lord,
I was not attacking you. I was simply pointing out that it does protect against sql injection. If I am incorrect in this statement please let me know how. I am not attacking you.