Hey guys,
Its been a while, I know. Use to love coming here to answer peoples questions, but work and school have been keeping me too busy but do anything but lurk. I usually write all my code/apps by hand and over the past couple years created a common set of PHP functions that I implement on every site. This code continues to grow, and may become a framework one day (http://ryan.crawford.com/framework/default/). I wanted to present some of the crux functions for your consideration. Specifically I'd like to know what your best practices are in relation to preventing SQL insertion attacks, looking at the functions I use to control it:
Code: private $chars = array(
";" => "{00sc}", "'" => "{01sq}",
"!" => "{02ex}", "$" => "{03dl}",
"%" => "{04pr}", "<" => "{05ls}",
">" => "{06gt}", "=" => "{07eq}",
"&" => "{08an}", "#" => "{09pd}",
"," => "{10cm}", "/" => "{11fs}",
"*" => "{12as}", "\"=> "{13bs}"
);
/*
* Func: inject($str) - aptly named :)
* Desc: We'll be the only people doing SQL injection here
*/
function inject($str) {
return str_replace(array_keys($this->chars),
array_values($this->chars),$str);
}
/*
* Func: extract($str)
* Desc: Opposite of inject
*/
function extract($str) {
$str = str_replace(array_values($this->depc),
array_keys($this->depc),$str);
return str_replace(array_values($this->chars),
array_keys($this->chars),$str);
}
/*
* Func: query($query_data)
* Desc: Make a query on the database (SELECT)
* Note: If a log directory is defined, we will track queries
*/
function query($qdata) {
$result = mysql_query($qdata) or die("
Query: ".$qdata."
Issue: " . mysql_error());
// set the condition for the switch statement
$c = substr($qdata,0,strpos($qdata,' '));
if($c == "DELETE"||$c == "INSERT"||$c == "UPDATE") {
if(is_dir($this->cfg['logdir']))
$this->logLine($qdata,$this->cfg['qlog']);
return true;
}
if(mysql_num_rows($result)==0)
return false;
while($line = mysql_fetch_array($result,MYSQL_ASSOC)) {
$array_result[]=$this->extract($line);
}
return $array_result;
}
/*
* Func: iquery($array,$table)
* Desc: Insert data into the db(using just $_POST)
*/
function iquery($arr,$table) {
if(!$dataArr = $this->againstTable($arr,$table))
return false;
$n = 1;
// Loop to create SQL query
foreach($dataArr as $key => $value) {
$insertNames .= (sizeof($dataArr)==$n)? $key : $key.",";
$insertValues.= (sizeof($dataArr)==$n)? "'".$value."'" : "'".$value."',";
$n++;
}
$this->query("INSERT INTO ".$table." (".$insertNames.") VALUES (".$insertValues.");");
}
Basically, if you look at the array $chars, for inserted data I am searching for the keys and converting them to the values before insertion. It is a function I run all my inserts through. The query() function is what I do all my SELECTS with and it converts the characters back (the inject function encrypts, extract decrypts for lack of a better term). These are written object oriented so I still have access to PHP's extract if ever needed.
Question now being, what do you think of the effectiveness of this technique in terms of protecting against SQL injection? Are there ways to beat it? Are there better methods? Is this efficient? I'm not sure what algorithm PHP is using for str_replace, but the best ones don't run any faster than O(n). I don't think this runs any worse.
file_put_contents and createimagefromjpeg
All,I do somethings and then I have the following code:file_put_contents('./test/'.$filename,$attachment_raw); //Give full path to $filenameI then do:$im = imagecreatefromjpeg($path_to_image_directory
PHP code needed to get/post form fields and request mysql query results.
I'm new to PHP I've created an html form to allow the user to request a basic telephone directory listing. They can select their 'listtype' by 'all' or by 'state'. If they choose 'state' then they
Adding post count
How would I make it so everytime someone clicks submit on my form, their row in the database for their post count goes up 1.
Must-Know Topics of PHP
Can you guys list the must-know topics of PHP. I am still a learner and I am trying to cover most of the important topics in PHP.
Data Function is Its Not working IN IE8
This is my first time to use formums. I hope i can get solution for this problem.
Linked Keywords
I am trying to get a script that makes my predefined keyword converted to links and / or converted to a certain color, size and so on... In one of the other threads Ive posted I got an answer I am a
Upload Code Help
Hi everyone I need some help with a bit of code ive been working with for a while. I am completely stumped to why it is now working correctly.Code: <?if(!isset($upload)) {$upload =
how to put the 0-100 numbers into 1.txt and 100-200 into 2.txt ?
how to put the 0-100 numbers into 1.txt and 100-200 into 2.txt and so on 200-300 into file 3.txt ?in PHP of course.i don't know if i'm really that dumb or is it the 36 hours of no sleep that i can't
Need Reporting Advice
My SQL server doesn't support MS SQL reporting services that comes with SQL Enterprise or Express. Then the administrator suggested that I google for alternatives. I'm a newbie and don't even know
newbie question about multiple queries
hi everyone, I'm sorry to ask such a basic question, but I'm young and trying to learn php on my own. I bought the PHP6 Bible and I'm doing a tutorial on multiple-queries.I followed the book exactly,
