Results 1 to 22 of 22

Thread: PHP Function

  1. #1
    Join Date
    Aug 2007
    Location
    Oakham England
    Posts
    499

    PHP Function

    Hey

    Will this function work and what will it do?

    PHP Code:
    function clean($string){
    $string str_replace("\""""$string);
    $string nl2br($string);
    $string htmlentities($string);
    $words = array("UNION",
          
    "SELECT FROM",
          
    "ORDER BY",
          
    "INSERT INTO",
          
    "TRUNCATE",
          
    "DROP TABLE",
          
    "CREATE TABLE",
          
    "DROP DATABASE"); // All the queries we want to stop
    $string preg_replace("/$words/i"""$string);
    return 
    $string;

    Dan
    Streama - Your WordPress Friend
    http://www.streama.co.uk

  2. #2
    Join Date
    Dec 2007
    Location
    Lebanon
    Posts
    413
    the function will replace all the $words you stated by nothing (it will delete the $words

  3. #3
    Join Date
    Aug 2007
    Location
    Oakham England
    Posts
    499
    I did that using this

    PHP Code:
    <?php
    function clean($string){
    $string str_replace("\""""$string);
    $string nl2br($string);
    $string htmlentities($string);
    $words = array("UNION",
          
    "SELECT FROM",
          
    "ORDER BY",
          
    "INSERT INTO",
          
    "TRUNCATE",
          
    "DROP TABLE",
          
    "CREATE TABLE",
          
    "DROP DATABASE"); // All the queries we want to stop
    $string preg_replace("/$words/i"""$string);
    return 
    $string;

    if(
    $_GET['change'] == "yes"){
    $text clean($_POST['text']);
    echo 
    "$text";
    }
    ?> 
    <form name="form1" method="post" action="?change=yes">
    Text:<br>
    <textarea name="text" id="text" cols="45" rows="5"></textarea>
    <br>
    <br>
    <input type="submit" name="button" id="button" value="Send">
    </form>
    but it didnt work
    Streama - Your WordPress Friend
    http://www.streama.co.uk

  4. #4
    What does it output ?

  5. #5
    Quote Originally Posted by Danny159 View Post
    PHP Code:
    $words = array("UNION",
          
    "SELECT FROM",
          
    "ORDER BY",
          
    "INSERT INTO",
          
    "TRUNCATE",
          
    "DROP TABLE",
          
    "CREATE TABLE",
          
    "DROP DATABASE"); // All the queries we want to stop
    $string preg_replace("/$words/i"""$string); 
    This won't work because $words is an array and you're trying to use it as a string. You need to use:
    PHP Code:
    foreach($words as $word$string preg_replace("/$word/i"""$string); 

  6. #6
    Join Date
    Aug 2007
    Location
    Oakham England
    Posts
    499
    Worked
    Thanks Daniel top man
    Streama - Your WordPress Friend
    http://www.streama.co.uk

  7. #7
    Join Date
    Mar 2005
    Posts
    31
    What is the purpose of this? I hope it's not for protecting against SQL injection.

  8. #8
    Join Date
    Aug 2007
    Location
    Oakham England
    Posts
    499
    thats what i was planning
    Streama - Your WordPress Friend
    http://www.streama.co.uk

  9. #9
    Join Date
    Jan 2006
    Location
    Athens, Greece
    Posts
    1,479
    Its better to filter on what you expect ( /^[0-9]+$/ ) and use
    mysql_real_escape_string($conn) on strings.

  10. #10
    Join Date
    Aug 2007
    Location
    Oakham England
    Posts
    499
    So what would my code look like if i added that?
    Streama - Your WordPress Friend
    http://www.streama.co.uk

  11. #11
    Join Date
    Mar 2005
    Posts
    31
    Just off the top of my head, you forgot DELETE FROM, UPDATE, ALTER TABLE, etc., but that's not the point as you do NOT want to do it like this!

    What if your query was something like this:

    $db->query("SELECT user_id FROM users WHERE username = '$_POST['username']' AND password = '$_POST['password']'");

    Now someone types in someone else's username in your login form and they put for the password, ' OR 1=1, now they have logged in as someone else! That's just an example. Do it like Steve Arm just said

  12. #12
    Join Date
    Aug 2007
    Location
    Oakham England
    Posts
    499
    So do i keep the replace and add what the other post said? of so how would i do that?
    Streama - Your WordPress Friend
    http://www.streama.co.uk

  13. #13
    Join Date
    Mar 2004
    Location
    USA
    Posts
    4,342
    You should be safe with:

    PHP Code:
    function clean($string){
    return 
    mysql_real_escape_string($string);

    No need to go into useless loops/searches.

    Peace,
    Testing 1.. Testing 1..2.. Testing 1..2..3...

  14. #14
    Join Date
    Aug 2004
    Location
    Canada
    Posts
    3,582
    Quote Originally Posted by azizny View Post
    You should be safe with:

    PHP Code:
    function clean($string){
    return 
    mysql_real_escape_string($string);

    No need to go into useless loops/searches.

    Peace,
    Yeah I have to agree here that would be more logical.

    Then if you wanted to do more filtering you could do this within say a database class and just have it as a flag you can turn on which in turn will do this essentially useless filtering.
    Tony B. - Chief Executive Officer
    Hawk Host Inc. Proudly serving websites since 2004
    Quality Shared and VPS Hosting
    PHP 5.3.x & PHP 5.4.x & PHP 5.5.X & PHP 5.6.X & PHP 7.0.X Support!

  15. #15
    function clean($string){
    return mysql_real_escape_string($string);
    }

    LOL at abreviating an existing php function.

    I can't say I blame you, it makes sense, but it made me laugh when I seen the response.

  16. #16
    Join Date
    Aug 2004
    Location
    Canada
    Posts
    3,582
    Quote Originally Posted by futhey View Post
    function clean($string){
    return mysql_real_escape_string($string);
    }

    LOL at abreviating an existing php function.

    I can't say I blame you, it makes sense, but it made me laugh when I seen the response.
    In this case it may not needed. But thinking down the road, what happens if mysql_real_escape_string no longer does the best job cleaning the data? Or if the requirements for cleaning change. Or probably the best example of them all the changing of the actual database being used.

    All you need to do is look at a lot of the database wrappers out there in frameworks or even just standalone ones which wrap already made php functions. The reason being simply things can change and it's easier to change the code in the function then do mass find and replace down the road to change something like this.
    Tony B. - Chief Executive Officer
    Hawk Host Inc. Proudly serving websites since 2004
    Quality Shared and VPS Hosting
    PHP 5.3.x & PHP 5.4.x & PHP 5.5.X & PHP 5.6.X & PHP 7.0.X Support!

  17. #17
    Sorry, I want to emphasize I wasn't criticizing your code, that's a valid coding practice, but it makes me laugh for a second when I see a function that does nothing but return another function.

    Sorry if I offended you, but I'm not a big fan of frameworks either. But that's just me. They are also a great tool for quick development.

  18. #18
    Join Date
    Mar 2004
    Posts
    1,301
    don't trust in using this function alone: mysql_real_escape_string($string);

  19. #19
    Join Date
    Aug 2007
    Location
    Oakham England
    Posts
    499
    What would you people use then?
    Streama - Your WordPress Friend
    http://www.streama.co.uk

  20. #20
    This is the most effective solution I've ever come across. It escapes characters to eliminate the vulnerability of an SQL Injection attack.

    This is being recommended by php.net in the official manual and by users on the site.

    "This function must always (with few exceptions) be used to make data safe before sending a query to MySQL."
    http://www.php.net/mysql_real_escape_string

    Hope this helps,
    James

  21. #21
    http://www.php.net/manual/en/securit...-injection.php

    Offers plenty of other good advice as well. For example, always using md5 hashes instead of plain text for passwords, always limiting the access to the mysql user, keeping the structure of your tables secret (Another measure is to avoid using "pass" or "password" as the name of your password column) .

    Also, as recommended by a php.net user, the PEAR package has built in functions (prepare() and execute() that help protect against these type of attacks, but I believe they work in much the same manner as the above.

    Hmm... Other tips.... Don't use GET Method?

  22. #22
    Well, why not use the MySQLi library instead of the MySQL in the start, it's way better.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •