Hey guys,
Its been a while, I know. Use to love coming here to answer peoples questions, but work and school have been keeping me too busy but do anything but lurk. I usually write all my code/apps by hand and over the past couple years created a common set of PHP functions that I implement on every site. This code continues to grow, and may become a framework one day (http://ryan.crawford.com/framework/default/). I wanted to present some of the crux functions for your consideration. Specifically I'd like to know what your best practices are in relation to preventing SQL insertion attacks, looking at the functions I use to control it:
Code: private $chars = array(
";" => "{00sc}", "'" => "{01sq}",
"!" => "{02ex}", "$" => "{03dl}",
"%" => "{04pr}", "<" => "{05ls}",
">" => "{06gt}", "=" => "{07eq}",
"&" => "{08an}", "#" => "{09pd}",
"," => "{10cm}", "/" => "{11fs}",
"*" => "{12as}", "\"=> "{13bs}"
);
/*
* Func: inject($str) - aptly named :)
* Desc: We'll be the only people doing SQL injection here
*/
function inject($str) {
return str_replace(array_keys($this->chars),
array_values($this->chars),$str);
}
/*
* Func: extract($str)
* Desc: Opposite of inject
*/
function extract($str) {
$str = str_replace(array_values($this->depc),
array_keys($this->depc),$str);
return str_replace(array_values($this->chars),
array_keys($this->chars),$str);
}
/*
* Func: query($query_data)
* Desc: Make a query on the database (SELECT)
* Note: If a log directory is defined, we will track queries
*/
function query($qdata) {
$result = mysql_query($qdata) or die("
Query: ".$qdata."
Issue: " . mysql_error());
// set the condition for the switch statement
$c = substr($qdata,0,strpos($qdata,' '));
if($c == "DELETE"||$c == "INSERT"||$c == "UPDATE") {
if(is_dir($this->cfg['logdir']))
$this->logLine($qdata,$this->cfg['qlog']);
return true;
}
if(mysql_num_rows($result)==0)
return false;
while($line = mysql_fetch_array($result,MYSQL_ASSOC)) {
$array_result[]=$this->extract($line);
}
return $array_result;
}
/*
* Func: iquery($array,$table)
* Desc: Insert data into the db(using just $_POST)
*/
function iquery($arr,$table) {
if(!$dataArr = $this->againstTable($arr,$table))
return false;
$n = 1;
// Loop to create SQL query
foreach($dataArr as $key => $value) {
$insertNames .= (sizeof($dataArr)==$n)? $key : $key.",";
$insertValues.= (sizeof($dataArr)==$n)? "'".$value."'" : "'".$value."',";
$n++;
}
$this->query("INSERT INTO ".$table." (".$insertNames.") VALUES (".$insertValues.");");
}
Basically, if you look at the array $chars, for inserted data I am searching for the keys and converting them to the values before insertion. It is a function I run all my inserts through. The query() function is what I do all my SELECTS with and it converts the characters back (the inject function encrypts, extract decrypts for lack of a better term). These are written object oriented so I still have access to PHP's extract if ever needed.
Question now being, what do you think of the effectiveness of this technique in terms of protecting against SQL injection? Are there ways to beat it? Are there better methods? Is this efficient? I'm not sure what algorithm PHP is using for str_replace, but the best ones don't run any faster than O(n). I don't think this runs any worse.
list files from folder, only one for each date
I have many files in a folder and wish to only list one of each datethese are the file names.date format (dd/mm/yyy)abc - 12-01-2009 - something.pdfabc - 12-01-2009 - something else.pdfabc -
Help If user voted, block them
On my Prayer request site, i let users Click a button to Pray for somone that has posted a pray, i got that all set up but.Code: // connect to db... if ($_GET['id']) { $id = (int) $_GET['id'];
Calculating a rating by adding number of points and dividing by number of items
I have a site that users can post links to files to download. They can rate these files on a 1-5 scale. I had someone make a Top Rated section for the site, to show the user with the highest rating
Backflush
I am looking for a report in SAP that would give me a list of all parts that are populated with a backflush code, or not populated with a code. I am aware of looking each part individually, but
Need help with simple code, back and forward buttons.
Basically, I have a set of pages in a folder, which have the title somephrasehere_09.php, somephrasehere_10.php, somephrasehere_11.php, etc. On each of these pages, I want to include a common code
How do I use a global footer..?
If my index.php has a bole bunch of if functions and exit's in them
Securing a user input - need some confirmation
Hello All,I am in the process of recoding a large proportion of an e-commerce site, one of the problems is that there are a few security issues floating around.I have a search box which was originally
Refining of search Criteria
Dear FriendsI need a help, I have a search page which of cars related, which has different search criteria e.g. maker, model, color, displacement etc. when i give any search criteria and click the
shoping cart issues
i´ve wrote this and works when i add an item to, my cart, but when i want to add othrer item just replaces the last one. please help!!Code: [Select]<!DOCTYPE html PUBLIC "-//W3C//DTD
How do I know when getBounds Method is ready to be called.
I have an application that changes out stylesheets client side. Once I change stylesheet the browser changes immediately but there is a lag until the Sys.UI.DomElement.getBounds method will return
