Hey guys,
Its been a while, I know. Use to love coming here to answer peoples questions, but work and school have been keeping me too busy but do anything but lurk. I usually write all my code/apps by hand and over the past couple years created a common set of PHP functions that I implement on every site. This code continues to grow, and may become a framework one day (http://ryan.crawford.com/framework/default/). I wanted to present some of the crux functions for your consideration. Specifically I'd like to know what your best practices are in relation to preventing SQL insertion attacks, looking at the functions I use to control it:
Code: private $chars = array(
";" => "{00sc}", "'" => "{01sq}",
"!" => "{02ex}", "$" => "{03dl}",
"%" => "{04pr}", "<" => "{05ls}",
">" => "{06gt}", "=" => "{07eq}",
"&" => "{08an}", "#" => "{09pd}",
"," => "{10cm}", "/" => "{11fs}",
"*" => "{12as}", "\"=> "{13bs}"
);
/*
* Func: inject($str) - aptly named :)
* Desc: We'll be the only people doing SQL injection here
*/
function inject($str) {
return str_replace(array_keys($this->chars),
array_values($this->chars),$str);
}
/*
* Func: extract($str)
* Desc: Opposite of inject
*/
function extract($str) {
$str = str_replace(array_values($this->depc),
array_keys($this->depc),$str);
return str_replace(array_values($this->chars),
array_keys($this->chars),$str);
}
/*
* Func: query($query_data)
* Desc: Make a query on the database (SELECT)
* Note: If a log directory is defined, we will track queries
*/
function query($qdata) {
$result = mysql_query($qdata) or die("
Query: ".$qdata."
Issue: " . mysql_error());
// set the condition for the switch statement
$c = substr($qdata,0,strpos($qdata,' '));
if($c == "DELETE"||$c == "INSERT"||$c == "UPDATE") {
if(is_dir($this->cfg['logdir']))
$this->logLine($qdata,$this->cfg['qlog']);
return true;
}
if(mysql_num_rows($result)==0)
return false;
while($line = mysql_fetch_array($result,MYSQL_ASSOC)) {
$array_result[]=$this->extract($line);
}
return $array_result;
}
/*
* Func: iquery($array,$table)
* Desc: Insert data into the db(using just $_POST)
*/
function iquery($arr,$table) {
if(!$dataArr = $this->againstTable($arr,$table))
return false;
$n = 1;
// Loop to create SQL query
foreach($dataArr as $key => $value) {
$insertNames .= (sizeof($dataArr)==$n)? $key : $key.",";
$insertValues.= (sizeof($dataArr)==$n)? "'".$value."'" : "'".$value."',";
$n++;
}
$this->query("INSERT INTO ".$table." (".$insertNames.") VALUES (".$insertValues.");");
}
Basically, if you look at the array $chars, for inserted data I am searching for the keys and converting them to the values before insertion. It is a function I run all my inserts through. The query() function is what I do all my SELECTS with and it converts the characters back (the inject function encrypts, extract decrypts for lack of a better term). These are written object oriented so I still have access to PHP's extract if ever needed.
Question now being, what do you think of the effectiveness of this technique in terms of protecting against SQL injection? Are there ways to beat it? Are there better methods? Is this efficient? I'm not sure what algorithm PHP is using for str_replace, but the best ones don't run any faster than O(n). I don't think this runs any worse.
no idea what to do...
I'm fed up. I had issues with code that I have working on a different site that didn't work on my current site. I found a way to fix that but now I'm running into the same error on another page that I
turning an array into a string then poping it into a db
Hi im just wondering how you get a requested array into a single string then pop it into the db so far i gotprint_r($_REQUEST['choice_name']);whch echosArray ( => Colour=Blue [1] =>
Users and Groups with PHP Classes
Hi,I have setup what I hope to be a good working User class. Now I want to introduce group membership and group permissions. Before doing so, I have a couple of questions.Firstly, because users and
Form validation with functions
Hi thereI am trying to make a very simple form validation function. I currently have the followingfunction formValidate($field, $msg) { if (empty($_POST['$field'])) { $errors[] = $msg; } else
Require select-option functionality in Module Pool Programming
Hi Gurus,
While Problem
i am having a problem with a while statement here is the code Code:
batch file not building to webapps folder
Hello. I just started running Vista :P and can't seem to get my projects deployed. I found out how to run the .bat file, but my project isn't in the Apache webapps folder. I'm getting an error in
Problems with strings containing
Hey all,I have encountered something strange in a script. I am trying to write an XML header and then fill in the file:Code: $xmlFile = "fetchableData.xml";$fh = fopen($xmlFile,
Need help: how to catch acess of undefined class properties
Hello. I am learning OO with PHP and have hit a problem.Some code runs as perfectly valid code, where i would like PHP to issue a warning / error.I guess this is because of the loose typing of PHP,
How to form a xml form table with a single sql statement..?
Hi everyone,
