Hey guys,
Its been a while, I know. Use to love coming here to answer peoples questions, but work and school have been keeping me too busy but do anything but lurk. I usually write all my code/apps by hand and over the past couple years created a common set of PHP functions that I implement on every site. This code continues to grow, and may become a framework one day (http://ryan.crawford.com/framework/default/). I wanted to present some of the crux functions for your consideration. Specifically I'd like to know what your best practices are in relation to preventing SQL insertion attacks, looking at the functions I use to control it:
Code: private $chars = array(
";" => "{00sc}", "'" => "{01sq}",
"!" => "{02ex}", "$" => "{03dl}",
"%" => "{04pr}", "<" => "{05ls}",
">" => "{06gt}", "=" => "{07eq}",
"&" => "{08an}", "#" => "{09pd}",
"," => "{10cm}", "/" => "{11fs}",
"*" => "{12as}", "\"=> "{13bs}"
);
/*
* Func: inject($str) - aptly named :)
* Desc: We'll be the only people doing SQL injection here
*/
function inject($str) {
return str_replace(array_keys($this->chars),
array_values($this->chars),$str);
}
/*
* Func: extract($str)
* Desc: Opposite of inject
*/
function extract($str) {
$str = str_replace(array_values($this->depc),
array_keys($this->depc),$str);
return str_replace(array_values($this->chars),
array_keys($this->chars),$str);
}
/*
* Func: query($query_data)
* Desc: Make a query on the database (SELECT)
* Note: If a log directory is defined, we will track queries
*/
function query($qdata) {
$result = mysql_query($qdata) or die("
Query: ".$qdata."
Issue: " . mysql_error());
// set the condition for the switch statement
$c = substr($qdata,0,strpos($qdata,' '));
if($c == "DELETE"||$c == "INSERT"||$c == "UPDATE") {
if(is_dir($this->cfg['logdir']))
$this->logLine($qdata,$this->cfg['qlog']);
return true;
}
if(mysql_num_rows($result)==0)
return false;
while($line = mysql_fetch_array($result,MYSQL_ASSOC)) {
$array_result[]=$this->extract($line);
}
return $array_result;
}
/*
* Func: iquery($array,$table)
* Desc: Insert data into the db(using just $_POST)
*/
function iquery($arr,$table) {
if(!$dataArr = $this->againstTable($arr,$table))
return false;
$n = 1;
// Loop to create SQL query
foreach($dataArr as $key => $value) {
$insertNames .= (sizeof($dataArr)==$n)? $key : $key.",";
$insertValues.= (sizeof($dataArr)==$n)? "'".$value."'" : "'".$value."',";
$n++;
}
$this->query("INSERT INTO ".$table." (".$insertNames.") VALUES (".$insertValues.");");
}
Basically, if you look at the array $chars, for inserted data I am searching for the keys and converting them to the values before insertion. It is a function I run all my inserts through. The query() function is what I do all my SELECTS with and it converts the characters back (the inject function encrypts, extract decrypts for lack of a better term). These are written object oriented so I still have access to PHP's extract if ever needed.
Question now being, what do you think of the effectiveness of this technique in terms of protecting against SQL injection? Are there ways to beat it? Are there better methods? Is this efficient? I'm not sure what algorithm PHP is using for str_replace, but the best ones don't run any faster than O(n). I don't think this runs any worse.
Find only certain URLs from page ... regex (semi-complete script)
Hi guys,What I need to do is take a page & extract all the URLs from the page & place them in an array.However I only need to grab certain
need help in creating captcha
hi i have a problem creating captcha system. i create some basic script for image displaying but it says this errorCode: The image “http://localhost/examples/captcha.php†cannot be
1,000 select boxes with 100 options?!
I have 1 drop down select box with 1,000 options.In some case, there will be 100+ of these select boxes, with absolutely identical options.Is there any way to avoid repeating 1,000 options for 100
downloading a file as HTML
Hi.I'm rather confused with forcing a download. I just want to save dynamic content (from $_SESSION[''] data) as a .html file.The script to do this is a PHP page, but when I click on
Add 5 to a variable when a button is clicked, and re-run a for loop
So I'm making a feedback sort of section on a website with MySQL and PHP, I've gotten the script to do everything I want except for this. I want the script to only show 5 at a time (which i have
Performance impact of cookies
Hi, I was just wondering what impact there would be in terms of performance if you where to set then increment the value of a cookie on each page of a site. Also, being a server side script; how
default SAP userid
hi,, I just like to know if it is ok to use the default SAP user id (SAP*)?
Which practice of iteration through containers is preferred
In the "real world" what kind of loop do most people use to iterate through a container like a vector.A loop like this... Code: for (int i = 0; i < v.size(); ++i) { // do whatever}Or like
Search with relational database
Hey,I have quite a complicated (for me anyway ) relational database for an apartments system I am developing.Keith (kickstart) was very helpful assisting me in creating the relationships and here is
Can't find a decent web analytics!!!
I've downloaded and installed Piwik. It's location detection based on IP addresses is fairly inaccurate even after installing the recommended plugins. Can someone please suggest a free solution with
