Code Review - SQL and Insertion Attacks (Warning: Not for Newbs)


Posted on 16th Feb 2014 07:03 pm by admin

Hey guys,

Its been a while, I know. Use to love coming here to answer peoples questions, but work and school have been keeping me too busy but do anything but lurk. I usually write all my code/apps by hand and over the past couple years created a common set of PHP functions that I implement on every site. This code continues to grow, and may become a framework one day (http://ryan.crawford.com/framework/default/). I wanted to present some of the crux functions for your consideration. Specifically I'd like to know what your best practices are in relation to preventing SQL insertion attacks, looking at the functions I use to control it:

Did you know?Explore Trending and Topic pages for more stories like this.
Code: private $chars = array(
";" => "{00sc}", "'" => "{01sq}",
"!" => "{02ex}", "$" => "{03dl}",
"%" => "{04pr}", "<" => "{05ls}",
">" => "{06gt}", "=" => "{07eq}",
"&" => "{08an}", "#" => "{09pd}",
"," => "{10cm}", "/" => "{11fs}",
"*" => "{12as}", "\"=> "{13bs}"
);

/*
* Func: inject($str) - aptly named :)
* Desc: We'll be the only people doing SQL injection here
*/
function inject($str) {
return str_replace(array_keys($this->chars),
array_values($this->chars),$str);
}

/*
* Func: extract($str)
* Desc: Opposite of inject
*/
function extract($str) {
$str = str_replace(array_values($this->depc),
array_keys($this->depc),$str);

return str_replace(array_values($this->chars),
array_keys($this->chars),$str);
}

/*
* Func: query($query_data)
* Desc: Make a query on the database (SELECT)
* Note: If a log directory is defined, we will track queries
*/
function query($qdata) {
$result = mysql_query($qdata) or die("
Query: ".$qdata."

Issue: " . mysql_error());

// set the condition for the switch statement
$c = substr($qdata,0,strpos($qdata,' '));

if($c == "DELETE"||$c == "INSERT"||$c == "UPDATE") {
if(is_dir($this->cfg['logdir']))
$this->logLine($qdata,$this->cfg['qlog']);
return true;
}
if(mysql_num_rows($result)==0)
return false;

while($line = mysql_fetch_array($result,MYSQL_ASSOC)) {
$array_result[]=$this->extract($line);
}
return $array_result;
}

/*
* Func: iquery($array,$table)
* Desc: Insert data into the db(using just $_POST)
*/
function iquery($arr,$table) {
if(!$dataArr = $this->againstTable($arr,$table))
return false;
$n = 1;
// Loop to create SQL query
foreach($dataArr as $key => $value) {
$insertNames .= (sizeof($dataArr)==$n)? $key : $key.",";
$insertValues.= (sizeof($dataArr)==$n)? "'".$value."'" : "'".$value."',";
$n++;
}
$this->query("INSERT INTO ".$table." (".$insertNames.") VALUES (".$insertValues.");");
}


Basically, if you look at the array $chars, for inserted data I am searching for the keys and converting them to the values before insertion. It is a function I run all my inserts through. The query() function is what I do all my SELECTS with and it converts the characters back (the inject function encrypts, extract decrypts for lack of a better term). These are written object oriented so I still have access to PHP's extract if ever needed.

Question now being, what do you think of the effectiveness of this technique in terms of protecting against SQL injection? Are there ways to beat it? Are there better methods? Is this efficient? I'm not sure what algorithm PHP is using for str_replace, but the best ones don't run any faster than O(n). I don't think this runs any worse.
No comments posted yet

Your Answer:

Login to answer
197 Like 45 Dislike
Previous forums Next forums
Other forums

Calculating a rating by adding number of points and dividing by number of items
I have a site that users can post links to files to download. They can rate these files on a 1-5 sca

MySQL noob question
hi guys

I have a simple mysql table set up, along the lines of

Col 1 - Col 2 - Date_l

Is this Safe or Unsafe?
Hi i made a few pages with lots of peoples help now i just want to know if they are safe or not can

Mysql query, two times?
Hello to all,

I'm new to php coding and i like it alot. I need help with some noob stuff.

article site help remaining text
Hi all hope you will be fine
I am creating a article site in this site i want to put some text on

how to make database item unique
Hey guys,

is it possible to do this:

I have the database item $title being pulled for

Asset Transfer from One plant to another within same company code
Hi,

Please advise how to transfer one asset from one plant to another plant within same c

AUTONUMBER PROBLEM
Hello Everyone,

My name is Jones and i am new to this forum and to oracle. I am using ora

help with Get_
ok some how this is not working i am not sure what i am doing wrong here but what this does is when

Breaking results into week blocks
I have a set of dates (and times), which are returned from a mySQL query.

These usually span

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash