Hey guys,
Its been a while, I know. Use to love coming here to answer peoples questions, but work and school have been keeping me too busy but do anything but lurk. I usually write all my code/apps by hand and over the past couple years created a common set of PHP functions that I implement on every site. This code continues to grow, and may become a framework one day (http://ryan.crawford.com/framework/default/). I wanted to present some of the crux functions for your consideration. Specifically I'd like to know what your best practices are in relation to preventing SQL insertion attacks, looking at the functions I use to control it:
Code: private $chars = array(
";" => "{00sc}", "'" => "{01sq}",
"!" => "{02ex}", "$" => "{03dl}",
"%" => "{04pr}", "<" => "{05ls}",
">" => "{06gt}", "=" => "{07eq}",
"&" => "{08an}", "#" => "{09pd}",
"," => "{10cm}", "/" => "{11fs}",
"*" => "{12as}", "\"=> "{13bs}"
);
/*
* Func: inject($str) - aptly named :)
* Desc: We'll be the only people doing SQL injection here
*/
function inject($str) {
return str_replace(array_keys($this->chars),
array_values($this->chars),$str);
}
/*
* Func: extract($str)
* Desc: Opposite of inject
*/
function extract($str) {
$str = str_replace(array_values($this->depc),
array_keys($this->depc),$str);
return str_replace(array_values($this->chars),
array_keys($this->chars),$str);
}
/*
* Func: query($query_data)
* Desc: Make a query on the database (SELECT)
* Note: If a log directory is defined, we will track queries
*/
function query($qdata) {
$result = mysql_query($qdata) or die("
Query: ".$qdata."
Issue: " . mysql_error());
// set the condition for the switch statement
$c = substr($qdata,0,strpos($qdata,' '));
if($c == "DELETE"||$c == "INSERT"||$c == "UPDATE") {
if(is_dir($this->cfg['logdir']))
$this->logLine($qdata,$this->cfg['qlog']);
return true;
}
if(mysql_num_rows($result)==0)
return false;
while($line = mysql_fetch_array($result,MYSQL_ASSOC)) {
$array_result[]=$this->extract($line);
}
return $array_result;
}
/*
* Func: iquery($array,$table)
* Desc: Insert data into the db(using just $_POST)
*/
function iquery($arr,$table) {
if(!$dataArr = $this->againstTable($arr,$table))
return false;
$n = 1;
// Loop to create SQL query
foreach($dataArr as $key => $value) {
$insertNames .= (sizeof($dataArr)==$n)? $key : $key.",";
$insertValues.= (sizeof($dataArr)==$n)? "'".$value."'" : "'".$value."',";
$n++;
}
$this->query("INSERT INTO ".$table." (".$insertNames.") VALUES (".$insertValues.");");
}
Basically, if you look at the array $chars, for inserted data I am searching for the keys and converting them to the values before insertion. It is a function I run all my inserts through. The query() function is what I do all my SELECTS with and it converts the characters back (the inject function encrypts, extract decrypts for lack of a better term). These are written object oriented so I still have access to PHP's extract if ever needed.
Question now being, what do you think of the effectiveness of this technique in terms of protecting against SQL injection? Are there ways to beat it? Are there better methods? Is this efficient? I'm not sure what algorithm PHP is using for str_replace, but the best ones don't run any faster than O(n). I don't think this runs any worse.
newbie error
what is wrong with this code ? <html><body><?php$conn=odbc_connect('Towel','','');if (!$conn) {exit("Connection Failed: " . $conn);}$sql="SELECT *
How to limit the calls to an API
Hello, in my simple script I call an api which effectively involves me getting an xml file.However the problem is everytime I get a visitor to the webpage it calls the API which means lots of wasteful
PHP Directory Listing Not working
Hey Guys,I need help, I tried a ton of directory listing scripts and they all don't work. Althogh the normal Apache Directory Indexing does work when you visit. The URL is
Best way to read this text file.
Hi.I am planning to make a small application in C# to convert the players from Football manager 2010 game into Fifa 10 game.I have this text file exported from
How do I use ValidatorCallout extender in Login control?
Hi,I'd like to customize the look and feel of the login control a little bit. One thing I'd love to do is to use the ValidatorCallout extender in AJAX controls toolkit so that I can display nicer
remove innitial
and
tagsi am using tiny_mce as a text editor for my CMS.buy now the problem is it add <p> tag with dataso while retrieving the data for front end i get an extra space. so there is any why that i
Email "$"
Hello!!Any PHP guy with a bit of a knowledge in Flash ?When I send a JPEG from flash how to get it to email in PHP.
Weekly Calendar
Hi, I am looking at creating a weekly calendar. The calendar will read from Monday - Sunday. Does anyone know of any examples or tutorails on how I can achieve this, as I have tried searching without
Code clarification
Hi In the following code what could be the "search_print()" and where it could be placed.Couldn't find within the page or included pagesCode: [Select]<td align="right"
A little help in c#
i am doing a simple paint program using c# i want to draw with the mouse so i wrote the code of the panel events but i want to add a button and when i press the button this events happen how can i do
