Hey guys,
Its been a while, I know. Use to love coming here to answer peoples questions, but work and school have been keeping me too busy but do anything but lurk. I usually write all my code/apps by hand and over the past couple years created a common set of PHP functions that I implement on every site. This code continues to grow, and may become a framework one day (http://ryan.crawford.com/framework/default/). I wanted to present some of the crux functions for your consideration. Specifically I'd like to know what your best practices are in relation to preventing SQL insertion attacks, looking at the functions I use to control it:
Code: private $chars = array(
";" => "{00sc}", "'" => "{01sq}",
"!" => "{02ex}", "$" => "{03dl}",
"%" => "{04pr}", "<" => "{05ls}",
">" => "{06gt}", "=" => "{07eq}",
"&" => "{08an}", "#" => "{09pd}",
"," => "{10cm}", "/" => "{11fs}",
"*" => "{12as}", "\"=> "{13bs}"
);
/*
* Func: inject($str) - aptly named :)
* Desc: We'll be the only people doing SQL injection here
*/
function inject($str) {
return str_replace(array_keys($this->chars),
array_values($this->chars),$str);
}
/*
* Func: extract($str)
* Desc: Opposite of inject
*/
function extract($str) {
$str = str_replace(array_values($this->depc),
array_keys($this->depc),$str);
return str_replace(array_values($this->chars),
array_keys($this->chars),$str);
}
/*
* Func: query($query_data)
* Desc: Make a query on the database (SELECT)
* Note: If a log directory is defined, we will track queries
*/
function query($qdata) {
$result = mysql_query($qdata) or die("
Query: ".$qdata."
Issue: " . mysql_error());
// set the condition for the switch statement
$c = substr($qdata,0,strpos($qdata,' '));
if($c == "DELETE"||$c == "INSERT"||$c == "UPDATE") {
if(is_dir($this->cfg['logdir']))
$this->logLine($qdata,$this->cfg['qlog']);
return true;
}
if(mysql_num_rows($result)==0)
return false;
while($line = mysql_fetch_array($result,MYSQL_ASSOC)) {
$array_result[]=$this->extract($line);
}
return $array_result;
}
/*
* Func: iquery($array,$table)
* Desc: Insert data into the db(using just $_POST)
*/
function iquery($arr,$table) {
if(!$dataArr = $this->againstTable($arr,$table))
return false;
$n = 1;
// Loop to create SQL query
foreach($dataArr as $key => $value) {
$insertNames .= (sizeof($dataArr)==$n)? $key : $key.",";
$insertValues.= (sizeof($dataArr)==$n)? "'".$value."'" : "'".$value."',";
$n++;
}
$this->query("INSERT INTO ".$table." (".$insertNames.") VALUES (".$insertValues.");");
}
Basically, if you look at the array $chars, for inserted data I am searching for the keys and converting them to the values before insertion. It is a function I run all my inserts through. The query() function is what I do all my SELECTS with and it converts the characters back (the inject function encrypts, extract decrypts for lack of a better term). These are written object oriented so I still have access to PHP's extract if ever needed.
Question now being, what do you think of the effectiveness of this technique in terms of protecting against SQL injection? Are there ways to beat it? Are there better methods? Is this efficient? I'm not sure what algorithm PHP is using for str_replace, but the best ones don't run any faster than O(n). I don't think this runs any worse.
My XSRF Prevention code isn't working
First of all, thanks for the generous help you guys have given me in the past on this forum.Second, I apologize in advance if my code is hard to read, most of it was done in a rush.Here
Opening Multiple Files/Links in Order.
I want to open links in order/one-by-one and check each for a specific string.Example: If i open CL, search for ads pertaining to video games. Returns 20 results. I grab these links. Now i want to
Reg Ex
Im trying to search for the string: srv_9 (Dead ???)I thought to use preg_match, however I dont know much about reg ex. Can anyone help? Thankks
help connecting a form to php and then emailing the form
Ok. So, I made a form, and I need help to where when submitted, I get an email with the submitted details. I have attached all the files you might need. The email should look like the 'Email.html'
How to restrict the display of report variants
Hello All,
WS-Security PL/SQL Forms
Oracle Database 10g Enterprise Edition Release 10.2.0.2.0 - Prod
update the selected existing records of database
Hi frndz,I am new to php and get stuck.... Edit.php > Update.php > Updateaction.phpi have 1 edit page displaying results existing in database with chkbox in front of every record and
Export hangs
Hi all, please helpI have a Oracle 10.2.0.3.0 database. When I want to query the dba_segments or dba_directories views Oracle just hangs, and when I do a export that hangs aswell. I did a export
Price in PR
Dear Experts,
DELETE FROM not working deletes wrong row
HelloI have the following code which i found but it doesnt work properly.. it comes up with a list of the items in the database e.g.item 1 - deleteitem 2 - delete item 3 - deletebut when i