[PHP/MySQL] MySQL Exploit Prevention
Hi, I'm currently working on a new system for my website which will use a MySQL database. Usually I don't like using MySQL because I don't know how to secure it properly. So far by reading some stuff on the PHP website I have managed to slap together two functions called MakeSafe and MakeReadable. MakeSafe is run on all $_GET and $_POST data before entering it into the database, and MakeReadable is run on all data returned from the database before outputting it to the screen.
Basically what I'd like to know is whether or not this is secure against SQL exploits.
Code:
function MakeSafe($string, $dbcon)
{
// Get rid of HTML
$string = htmlentities($string);
// Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON.
if(get_magic_quotes_gpc()) {
if(ini_get('magic_quotes_sybase')) {
$string = str_replace("''", "'", $string);
} else {
$string = stripslashes($string);
}
}
// Make a safe string
$string = mysql_real_escape_string($string, $dbcon);
return $string;
}
Code:
function MakeReadable($string)
{
$string = stripslashes($string);
// Fix anything that htmlentities broke
$str = array("£");
$rep = array("£");
$string = str_replace($str, $rep, $string);
return $string;
}
Thanks.
Re: [PHP/MySQL] MySQL Exploit Prevention
Actually, all you need is mysql_real_escape_string() and something to remove wildcard characters (% and _) if so desired (not necessary if e.g. you want to allow for a search form or similar)
Re: [PHP/MySQL] MySQL Exploit Prevention
No, actually you -do- need htmlentities if you are going to place something on a website, and you do -not- need to replace wildcard characters if you use simple string compares in your queries.
So yes, above mentioned functions are save. Note that makesave requires a database instance and that its duplicating it, which in itself is a crappy way to code.
All in all seems like a PHP noob who only vaguely knew what he was doing wrote that.
What I generally use:
PHP Code:
/****
checkvar(& mixed variable) converts a variable into something save to put into your database.
****/
function checkVar(&$variable) {
$dbase = new topDbase;
$variable = mysql_real_escape_string($variable, $dbase -> instance);
}
/****
posthandler checks an array and places each value checked trough checkvar into its
own variable. Perfect for quickly getting all POST variables without having to
bother with checkVar($_POST['variable']).
****/
function postHandler($post = false) {
$post = $post ? $post : $_POST;
array_walk($post, 'checkVar');
return $post;
}
Of course this requires a database class where the instance is set as a singleton particle, as for instance the one I wrote a while ago.
Re: [PHP/MySQL] MySQL Exploit Prevention
Well thanks for filling me in on this ^_^
I've been looking for what all I need to do to make my site secure. This might fix my sql server from crashing hehe
I've been using the escape string but I didn't know it didn't filter out wildcards thanks bunches hehe
Re: [PHP/MySQL] MySQL Exploit Prevention
Afaik it DOES filter out wildcards...
Re: [PHP/MySQL] MySQL Exploit Prevention
My little script for these kind of things.
PHP Code:
// Filtering func. -> makes sure that the use does not over-stack.
function xw_sanitycheck($str){
if(strpos(str_replace("''",""," $str"),"'") != false)
return str_replace("'", "''", $str);
else
return $str;
}
function secure($str){
if (is_array($str)) {
foreach($str AS $id => $value) {
$str[$id] = secure($value);
}
}
else
$str = xw_sanitycheck($str);
return $str;
}
// Get Filter
$xweb_AI = array_keys($_GET);
$i=0;
while($i<count($xweb_AI)) {
$_GET[$xweb_AI[$i]]=secure($_GET[$xweb_AI[$i]]);
$i++;
}
unset($xweb_AI);
// Request Filter
$xweb_AI = array_keys($_REQUEST);
$i=0;
while($i<count($xweb_AI)) {
$_REQUEST[$xweb_AI[$i]]=secure($_REQUEST[$xweb_AI[$i]]);
$i++;
}
unset($xweb_AI);
// Post Filter
$xweb_AI = array_keys($_POST);
$i=0;
while($i<count($xweb_AI)) {
$_POST[$xweb_AI[$i]]=secure($_POST[$xweb_AI[$i]]);
$i++;
}
// Cookie Filter
$xweb_AI = array_keys($_COOKIE);
$i=0;
while($i<count($xweb_AI)) {
$_COOKIE[$xweb_AI[$i]]=secure($_COOKIE[$xweb_AI[$i]]);
$i++;
}
// Session Filter
$xweb_AI = array_keys($_SESSION);
$i=0;
while($i<count($xweb_AI)) {
$_COOKIE[$xweb_AI[$i]]=secure($_SESSION[$xweb_AI[$i]]);
$i++;
}
// End
Re: [PHP/MySQL] MySQL Exploit Prevention
Inefficient and not secure themad.