Code Review - SQL and Insertion Attacks (Warning: Not for Newbs)
Posted on
16th Feb 2014 07:03 pm by
admin
Hey guys,
Its been a while, I know. Use to love coming here to answer peoples questions, but work and school have been keeping me too busy but do anything but lurk. I usually write all my code/apps by hand and over the past couple years created a common set of PHP functions that I implement on every site. This code continues to grow, and may become a framework one day (http://ryan.crawford.com/framework/default/). I wanted to present some of the crux functions for your consideration. Specifically I'd like to know what your best practices are in relation to preventing SQL insertion attacks, looking at the functions I use to control it:
Code: private $chars = array(
";" => "{00sc}", "'" => "{01sq}",
"!" => "{02ex}", "$" => "{03dl}",
"%" => "{04pr}", "<" => "{05ls}",
">" => "{06gt}", "=" => "{07eq}",
"&" => "{08an}", "#" => "{09pd}",
"," => "{10cm}", "/" => "{11fs}",
"*" => "{12as}", "\"=> "{13bs}"
);
/*
* Func: inject($str) - aptly named :)
* Desc: We'll be the only people doing SQL injection here
*/
function inject($str) {
return str_replace(array_keys($this->chars),
array_values($this->chars),$str);
}
/*
* Func: extract($str)
* Desc: Opposite of inject
*/
function extract($str) {
$str = str_replace(array_values($this->depc),
array_keys($this->depc),$str);
return str_replace(array_values($this->chars),
array_keys($this->chars),$str);
}
/*
* Func: query($query_data)
* Desc: Make a query on the database (SELECT)
* Note: If a log directory is defined, we will track queries
*/
function query($qdata) {
$result = mysql_query($qdata) or die("
Query: ".$qdata."
Issue: " . mysql_error());
// set the condition for the switch statement
$c = substr($qdata,0,strpos($qdata,' '));
if($c == "DELETE"||$c == "INSERT"||$c == "UPDATE") {
if(is_dir($this->cfg['logdir']))
$this->logLine($qdata,$this->cfg['qlog']);
return true;
}
if(mysql_num_rows($result)==0)
return false;
while($line = mysql_fetch_array($result,MYSQL_ASSOC)) {
$array_result[]=$this->extract($line);
}
return $array_result;
}
/*
* Func: iquery($array,$table)
* Desc: Insert data into the db(using just $_POST)
*/
function iquery($arr,$table) {
if(!$dataArr = $this->againstTable($arr,$table))
return false;
$n = 1;
// Loop to create SQL query
foreach($dataArr as $key => $value) {
$insertNames .= (sizeof($dataArr)==$n)? $key : $key.",";
$insertValues.= (sizeof($dataArr)==$n)? "'".$value."'" : "'".$value."',";
$n++;
}
$this->query("INSERT INTO ".$table." (".$insertNames.") VALUES (".$insertValues.");");
}
Basically, if you look at the array $chars, for inserted data I am searching for the keys and converting them to the values before insertion. It is a function I run all my inserts through. The query() function is what I do all my SELECTS with and it converts the characters back (the inject function encrypts, extract decrypts for lack of a better term). These are written object oriented so I still have access to PHP's extract if ever needed.
Question now being, what do you think of the effectiveness of this technique in terms of protecting against SQL injection? Are there ways to beat it? Are there better methods? Is this efficient? I'm not sure what algorithm PHP is using for str_replace, but the best ones don't run any faster than O(n). I don't think this runs any worse.
No comments posted yet
Your Answer:
Login to answer
197 
45 
Other forums
moving mouse to display image coordinates
I have an existing MFC application that shows an image in the main window.
I'd like to be able to
Help! refer to a friend script with captcha code
Hi guys, I am posting on here in desperate need for some help with an ongoing search I have been doi
Convert .fdf to .pdf
I currently have a web form that uploads the form data to an .fdf file and emails it.
However
server trace logs
could any one tell me from where do i get error logs in xMII??I want to check the reason for dtabase
Ajax Issues - Update Panel / Timer. Intellisense doesn't know about them
Type 'System.Web.UI.ScriptManager' does not have a public property named 'UpdatePanel'.
That is wha
Working with Global Variables
hi, I'm not really sure why the following code is returning a "Call to a member function getBan
How to show the difference between two data field in a database with php.
Hello php gurus,
how r u all... i'm not so well facing a typical problem please help me...<
problems with search form numerical "between" sending by php
I am trying to display the results of a search, on a sql database, on a web page. I set up html &quo
Get relative path from absolute path
How would one go about getting the relative path to a file from its absolute path?
Help pulling in 'id' with "read more" link
I'm trying to create snippets of my articles in the cms I'm creating, and then have them redirect to
