Thread: sql injection prevention advice
View Single Post
Old 09-20-2010, 01:58 PM  
BestXXXPorn
Confirmed User
 
BestXXXPorn's Avatar
 
Join Date: Jun 2009
Location: Asheville, NC
Posts: 2,277
Quote:
Originally Posted by Tempest View Post
Yes, that will help. However, all the values should be validated if you want to stop all potential issues as it will also depend on how the sql statements are done.

You want to do something like this on the post values. And I think it needs to be done after you're connected to the database for mysql_real_escape_string to work.

Code:
foreach($_POST as $key => $val){
	if( is_array($val) ){
		for($i = 0; $i < count($val); $i++){
			$_POST[$key][$i] = mysql_real_escape_string(get_magic_quotes_gpc() ? stripslashes($val[$i]) : $val[$i]);
		}
	}else{
		$_POST[$key] = mysql_real_escape_string(get_magic_quotes_gpc() ? stripslashes($val) : $val);
	}
}
Tempest is correct, you'll need to be connected before using that function. It essentially asks MySQL to use its own escaping methods to ensure a given string is escaped properly. The best time to do this would be any time you are selecting or updating/inserting content into the DB that uses user input as a variable... When I mean user input I mean anything that can come from a URL, a FORM, etc...

e.g.

You have pagination that uses GET parameters like: /models?page=1&hair=blue

While the user may not have had the option of typing in "blue" they could still override the GET param with some sort of SQL injection string... so it needs to be escaped.

The proper solution... and here is why the MVC Model/View/Controller design pattern is so damned handy ;) is to escape each field being queried for or updated using the aforementioned real escape string function/method. If your code base is MVC your Model (the database) logic will be split out so adding in this check for each field should be simple. If you're using something procedural or even OO and the Model is not split out correctly you'll be doing a LOT of search/replace action to find every place one of the queries is done and escape each individual field...

I WOULD NOT recommend doing something on every POST field unless each field is not used anywhere else in the code base. Otherwise you'll end up with lots of issues with variables no longer matching was was expected... Imagine $modelName="April O'niel" vs = "April O\'Neil"...

Long story short it can either be a huge pain in the ass or not that big of a deal depending on the competency level of the developer who originally wrote the script :P

Hope that helps clarify that a bit for you ;)
__________________
ICQ: 258-202-811 | Email: eric{at}bestxxxporn.com
Last edited by BestXXXPorn; 09-20-2010 at 02:01 PM..
BestXXXPorn is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote