Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Is this good for preventing mysql injections?

  1. #1
    Join Date
    Oct 2006
    Posts
    183
    Thanks
    0
    Thanked 11 Times in 11 Posts

    Default Is this good for preventing mysql injections?

    I am working on a game that needs to be safe from injections, and I was wondering if this was sufficient for protection:

    PHP Code:
    function clean_field($i)
    {
        if (
    substr_count_array($i, array("#""--"))) {
                
    log_hack($i);
        }
        if (!
    preg_match('/^[a-zA-Z0-9]+$/'$i)) {
            
    //$errors = "Invalid characters: $i";
            
    $problem TRUE;
        }


        if(
    $problem){
            return 
    FALSE;
        }
        else
        {
            return 
    TRUE;
        }
    }

    function 
    log_hack($data)
    {
        
    $timestamp date('d/m/Y H:i:s');
        
    $ip $_SERVER['REMOTE_ADDR'];
        
    $handle fopen("hack_attempts.php"'a+');
        
    fwrite($handle"$timestamp|| $data|| $ip\n"); 
        
    fclose($handle); 

    }

    function 
    substr_count_array$haystack$needle ) {
         
    $count 0;
         foreach (
    $needle as $substring) {
              
    $count += substr_count$haystack$substring);
         }
         return 
    $count;

    Any suggestions to make it better are welcome.

  2. #2
    Join Date
    Sep 2005
    Posts
    882
    Thanks
    0
    Thanked 3 Times in 3 Posts

    Default

    The function substr_count_array isn't needed. Your regular expression handles that. However, that is the wrong way to go about it. All you need to do is make sure that all data is run through mysql_real_escape_string or similar before it is placed in SQL query.

  3. #3
    Join Date
    Oct 2006
    Posts
    183
    Thanks
    0
    Thanked 11 Times in 11 Posts

    Default

    Well the substr_count_array is to get mysql comments (# or --) so that if anything looks like it could be a hack it is saved in a log.

    However I also only want alphanumeric from this function, so would this work for that since I don't want to escape but rather return the error?

  4. #4
    Join Date
    Sep 2005
    Posts
    882
    Thanks
    0
    Thanked 3 Times in 3 Posts

    Default

    No, it is opening another huge security hole. Consider what would happen if "#<?php unlink('index.php'); ?>" was passed to clean_field(). This is an even bigger security hole than SQL injection.

  5. #5
    Join Date
    Oct 2006
    Posts
    183
    Thanks
    0
    Thanked 11 Times in 11 Posts

    Default

    How would you recommend finding anything that has # or -- and logging it then?

  6. #6
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,876
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    Injection into what? Apply htmlentities() if it's going on a PHP or HTML page, mysql_real_escape_string() if it's going into a database, &c. (although there are better alternatives, such as PDO's prepared statements or an ORM like Propel).
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends franšais | entiendo espa˝ol | t˘i Ýt hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  7. #7
    Join Date
    Sep 2005
    Posts
    882
    Thanks
    0
    Thanked 3 Times in 3 Posts

    Default

    I don't get why you would want to log it. Just prevent the injection(which, as Twey said, depends on where the data is going). The log want show you any useful information. It's the hacks that your filters(and therefore your log) don't catch that you need to worry about.

  8. #8
    Join Date
    Oct 2006
    Posts
    183
    Thanks
    0
    Thanked 11 Times in 11 Posts

    Default

    Well the log isn't to prevent anything but just to see if it is a possible attempted injection, this way I can see when people might be trying.

    The preg_match is because I only want alphanumerics in data that passes through.

    After it checks those, I want to use the mysql_real_escape_string before saving fields and textareas to the database, as not all data will go through clean_field.

    Is that a bad idea?

  9. #9
    Join Date
    Sep 2005
    Posts
    882
    Thanks
    0
    Thanked 3 Times in 3 Posts

    Default

    Not really in theory. However, the code you have posted here has a huge security hole. Basically, if PHP code gets passed to clean_field, it will be written to your log file(which is a PHP file). This would cause complete access to the server.

  10. #10
    Join Date
    Oct 2006
    Posts
    183
    Thanks
    0
    Thanked 11 Times in 11 Posts

    Default

    I realize what you mean by that being a securtity hole. If someone put in what you said earlier, when I load the page it will execute the PHP.

    What if I saved it as a text file, instead of hack_attempts.php make it hack_attempts.txt?

    The file isn't going to be placed in an HTML file, but rahter I will get an alert when there is a new hack attempt and then go to the file. If it is text, it won't execute anything.

    Would that work?

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •