catching malicious data??

srikanth

A source of potential problems is considered a dynamic web application is the "polution" of input with bad, if not downright malicious data.

/ assumed $name is user data culled from a POSTed HTML form... /
$query = "SELECT * FROM members WHERE firstname = '" . $name ."';"
$result = mysql_query($query);
Can any one help me out??
How will i catch malformed (malicious?) POST/GET data in $name.

Weedpacket

Consider PDO; when you use prepared statements the database drivers will sanitise input.

Failing that, search the forums for the terms "SQL injection".

Certainly: don't try to identify malicious data - that's a losing battle. Instead identify legitimate data - you already know what that looks like.

srikanth

i had tried to search some thing out from the forms???
can you suggest some code for solving this.i didnt have any idea for solving this kind a problem

bradgrafelman

I'll reiterate what Weedpacket suggested; assuming you're not behind times and are using PHP5, the [man]PDO[/man] extension is a great solution to this problem as its drivers sanitize data for you.

Other than that, Weedpacket also gave you a very good hint to search for - SQL injection. Heck, put my name into the poster field and you'll pretty much have your answer approximately 100 times. :p Essentially, you simply sanitize all user-supplied data with a function such as [man]mysql_real_escape_string/man.

TF_TheMoon

You could also validate the input in various ways. for instance, if you know that the username could only contain alphanumerics and underscores then you could run something like

if (true == preg_match("/^[\w]+$/",$name )) {
    echo "passed";
} else {
    echo "failed";
}

srikanth

A source of potential problems is considered a dynamic web application is the "polution" of input with bad, if not downright malicious data.

can any one help me out with the code??

bradgrafelman

You should never place user-supplied data directly into a SQL query. Instead, sanitize it first with a function such as [man]mysql_real_escape_string/man.

Or, you could instead use the PDO extension as its drivers protect you automatically.

srikanth

can you help me with an example of some code???

NogDog

Threads merged . . . please do not double post.

srikanth

can any one help me with the code??????

NogDog

Did you read Brad's suggested link to the [man]mysql_real_escape_string/man function? It includes a number of code samples.

srikanth

<?php

if (isset($_POST['first_name'])) {
// Connect

$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password');

if(!is_resource($link)) {

    echo "Failed to connect to the server\n";
    // ... log the error properly

} else {

    // Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON.

    if(get_magic_quotes_gpc()) {
        $last_name = stripslashes($_POST['last_name']);
       } else {
        $last_name = $_POST['last_name'];
       }

    // Make a safe query
    $query = sprintf("SELECT * FROM `customers` WHERE `last_name` = '%s'",
                     mysql_real_escape_string($last_name, $link);

    mysql_query($query, $link);

    if (mysql_affected_rows($link) > 0) {
        echo "Product inserted\n";
    }
}

} else {
echo "Fill the form properly\n";
}
?>
plzzz check this code out and suggest me the modifications!!

srikanth

can any one check whether the above code works???

bradgrafelman

srikanth wrote:
can any one check whether the above code works???

Well it's your code and your server... can't you?

Also, when posting PHP code please use the board's [PHP][/PHP] bbcode tags as they make your code much easier to read and analyze. You should go back and edit your post now to add these tags.

EDIT: It would also help if you post the error message for us, rather than have us try to guess what the problem is. Since I'm feeling generous, though, I took a look at your code anyway and found that you left off the closing ')' for the sprintf() function.