Fixing Unsanitized SQL Queries

trevorsg

Well, here's the story. I have been learning PHP since last March, so I'm relatively new to the whole thing. When I learned how to use MySQL with PHP, my possibilities started to open up drastically. Almost immediately, I began to develop my first content management system as a website I was working on. Since then, I have expanded that CMS to three different websites, and I have used upwards of about 500 mysql_query() functions across the three sites.

Then I learned about SQL injections and the importance of sanitization (the source from which I learned about MySQL queries in PHP did not mention injections at all). So, is there any way I can apply a mysql_real_escape_string() to ALL of my sql queries without going through thousands of lines of code? It's a fairly routine operation, and it seems like something a "site-wide find and replace" with RegEx support should be able to fix.

Ideas, anyone? I would really appreciate your help, because the prospect of the task ahead is not inviting.

Thanks,
Trevor

NogDog

If you were very consistent on how you constructed and executed your queries, I suppose it might be possible to come up with some sort of search/replace function, probably using [man]preg_replace/man. However, it might be one of those things that by the time you worked on it, tested it, fixed it, retested it, re-fixed it, etc...., it might have been simpler to update the code manually. :rolleyes:

The problem (or challenge?) would be coming up with the search pattern(s) to identify where query strings are defined, where PHP variables are being used in those strings, and then replacing them with calls to mysql_real_escape_string, all while keeping track if said variables are being interpolated within a double-quoted or heredoc-quoted string or via string concatenation.

trevorsg

I can't think of any instance where I have deviated from the format:
$query = 'select something from somewhere where this="'.$that.'";';