SQL injection

FatRat

i am worried about SQL injection on my website.

will this code protect my website?

so i just paste it in at the start of the code, and do it once for each $value?

thanks.

how will i know if it works?

RyanJones

FatRat wrote:
i am worried about SQL injection on my website.

will this code protect my website?

so i just paste it in at the start of the code, and do it once for each $value?

thanks.

how will i know if it works?

That should work, other simple things like not putting user input directly into an Eval() function etc. also help.

You can test your codee by trying to hack it yourself, ssuch as mess with the userinput as a hacker would try to do - if it works you'll know :-)

Cheers,

Ryan Jones

MarkR

No, it won't work if magic_quotes_gpc is enabled because it will call stripslashes() regardless of whether the string came from GET, POST, COOKIES or otherwise.

Therefore, data corruption will result (legitimate backslashes being unduly removed).

magic_quotes_gpc is never helpful, I recommend you cause your application to quit if it's enabled to avoid potential data corruption.

A better way of avoiding SQL injection is to use prepared queries everywhere - this can be done quite easily for example, using either PEAR:😃B, PDO, or even mysqli

Mark

unisabilly

MarkR wrote:
No, it won't work if magic_quotes_gpc is enabled because it will call stripslashes() regardless of whether the string came from GET, POST, COOKIES or otherwise.

Therefore, data corruption will result (legitimate backslashes being unduly removed).

magic_quotes_gpc is never helpful, I recommend you cause your application to quit if it's enabled to avoid potential data corruption.

A better way of avoiding SQL injection is to use prepared queries everywhere - this can be done quite easily for example, using either PEAR:😃B, PDO, or even mysqli

Mark

Is that means the following part will cause error :

if( get_magic_quotes_gpc() ) 
{ 
    $value = stripslashes( $value ); 
}

and if that is the case, would the following code work !?

function sql_quote( $value ) 
{ 
//check if this function exists 
if( function_exists( "mysql_real_escape_string" ) ) 
{ 
$value = mysql_real_escape_string( $value ); 
} 
//for PHP version < 4.3.0 use addslashes 
else 
{ 
$value = addslashes( $value ); 
} 
return $value; 
}

MarkR

No, the problem is that you're calling this function indescriminately, which is just as bad as magic_quotes_gpc.

Developers who think magic_quotes_gpc is a good idea, fail to grasp the concept that a value may be used for something other than putting it in a database.

Here are some cases where values must not be escaped in this manner:

Storage in a file on disc
Storage in the session
Putting in an email body
Putting in a RPC request to a foreign server
Passing through in a hidden (or non-hidden) field on the same or another page
Doing any logic on the string value, for example, comparison to some value fetched from a database.

These are just a small set of possibilities where adding slashes is going to cause corruption, and in each case where one of these things is done, care must be taken NOT to add slashes, otherwise you'll end up with the dreaded "backslashitis"

The trick is, to escape values AS THEY GO INTO THE DATABASE, not at any other time. If you escape values anywhere else, then they could accidentally be used for some other, non-database purpose, which will result in corruption.

As I mentioned before, prepared statements are DEFINITELY the right way to go.

Mark