Hey guys,
Its been a while, I know. Use to love coming here to answer peoples questions, but work and school have been keeping me too busy but do anything but lurk. I usually write all my code/apps by hand and over the past couple years created a common set of PHP functions that I implement on every site. This code continues to grow, and may become a framework one day (http://ryan.crawford.com/framework/default/). I wanted to present some of the crux functions for your consideration. Specifically I'd like to know what your best practices are in relation to preventing SQL insertion attacks, looking at the functions I use to control it:
Code: private $chars = array(
";" => "{00sc}", "'" => "{01sq}",
"!" => "{02ex}", "$" => "{03dl}",
"%" => "{04pr}", "<" => "{05ls}",
">" => "{06gt}", "=" => "{07eq}",
"&" => "{08an}", "#" => "{09pd}",
"," => "{10cm}", "/" => "{11fs}",
"*" => "{12as}", "\"=> "{13bs}"
);
/*
* Func: inject($str) - aptly named :)
* Desc: We'll be the only people doing SQL injection here
*/
function inject($str) {
return str_replace(array_keys($this->chars),
array_values($this->chars),$str);
}
/*
* Func: extract($str)
* Desc: Opposite of inject
*/
function extract($str) {
$str = str_replace(array_values($this->depc),
array_keys($this->depc),$str);
return str_replace(array_values($this->chars),
array_keys($this->chars),$str);
}
/*
* Func: query($query_data)
* Desc: Make a query on the database (SELECT)
* Note: If a log directory is defined, we will track queries
*/
function query($qdata) {
$result = mysql_query($qdata) or die("
Query: ".$qdata."
Issue: " . mysql_error());
// set the condition for the switch statement
$c = substr($qdata,0,strpos($qdata,' '));
if($c == "DELETE"||$c == "INSERT"||$c == "UPDATE") {
if(is_dir($this->cfg['logdir']))
$this->logLine($qdata,$this->cfg['qlog']);
return true;
}
if(mysql_num_rows($result)==0)
return false;
while($line = mysql_fetch_array($result,MYSQL_ASSOC)) {
$array_result[]=$this->extract($line);
}
return $array_result;
}
/*
* Func: iquery($array,$table)
* Desc: Insert data into the db(using just $_POST)
*/
function iquery($arr,$table) {
if(!$dataArr = $this->againstTable($arr,$table))
return false;
$n = 1;
// Loop to create SQL query
foreach($dataArr as $key => $value) {
$insertNames .= (sizeof($dataArr)==$n)? $key : $key.",";
$insertValues.= (sizeof($dataArr)==$n)? "'".$value."'" : "'".$value."',";
$n++;
}
$this->query("INSERT INTO ".$table." (".$insertNames.") VALUES (".$insertValues.");");
}
Basically, if you look at the array $chars, for inserted data I am searching for the keys and converting them to the values before insertion. It is a function I run all my inserts through. The query() function is what I do all my SELECTS with and it converts the characters back (the inject function encrypts, extract decrypts for lack of a better term). These are written object oriented so I still have access to PHP's extract if ever needed.
Question now being, what do you think of the effectiveness of this technique in terms of protecting against SQL injection? Are there ways to beat it? Are there better methods? Is this efficient? I'm not sure what algorithm PHP is using for str_replace, but the best ones don't run any faster than O(n). I don't think this runs any worse.
Why doesn't this work? (SSH2)
This is my script:Code: <?php$connection = ssh2_connect('213.251.167.109', 22);ssh2_auth_password($connection, 'root', 'MGdgfskc');$stream = ssh2_exec($connection, 'useradd -d /home/users/test
Character increment
Hi,I am facing a scenario like above,but in my case i want to show up like Col A,Col B etc....The container where i am displaying this is being dynamically generated using jquery.Any help?
empty() error
Why doesCode: empty($USER_ID = $_SESSION["USER_ID"])create this error...Parse error: syntax error, unexpected '=', expecting ')' in /home3/finestto/public_html/index.php on line 17
Limiting uploaded file type
I am working on a simple upload script, and I need it to limit the allowed file type that is uploaded to only .mpr files. .mpr files are not a MIME file type so I do not know how to limit it. Any
Website Direction...
I recently used this code to try and make it so the page loads as http://www.domain.com/ when you type in http://domain.comI thought this code would make sense and be a solution, but just loops.Could
Dynamic Array using glob?
Is there an easier way to do this?I am trying to get create a dyamic array based on files within the folder.Code: foreach (glob("*.jpg") as $filename) { $items = array("title"
how to easy edit text, with box? Help.
Hi.I have a little problem. I'm doing a webpage for my aunt and I would like to make it as easy for her as possible to edit the text. So, I am going to make a Admin site where she can login and then I
Printing a webpage
I use this to print the webpage:
Retrieving innerHTML with cURL?
Hey all (sorry I know I'm a leecher, but I soon won't be. This is my first PHP project, but not my last ).I need help with a little problem I am having. I am using cURL to navigate through some pages
Must be a string? Huh, what? HELP?
with the following script, I get Fatal error: Property name must be a string in /home/content/e/s/o/esone/html/test/123.php on line 24Anyone maybe know what is causing it?Code: <?phpfunction