Network Security: Detailed info on Re: PHP filter function against SQL injections

Subject:	Re: PHP filter function against SQL injections
Date:	Wed, 07 Feb 2007 15:15:00 -0500

also a union  could be an issue depending on the location of the union
ie.

$myval = pastvar['post'] $sql = 'select a, b, c'; $sql .= 'From table_1'; $sql .= 'where a = ' . filter($myval); now if i entered this in the post_var $myval = "1 union all select a,b,c from table_1"; what would happend :) our results would not be ideal :) hope this helped ps. you might also want to look at the xml i sent this is the SQL injection project i created a while ago its by no means 100% but should get you to about 70% ish so the work now formula D(WS)*[RW](WS)*D Where : D : deliminator WS : White Space RW : Reserve Word RW can be in two types Literal : Standard string like "SELECT" or "SELECT TOP" parameterized : Strings that allow subistition like "xp_*" which would find any string that starts with a "xp_" Note : the * can be anyware in the Parameterized String Like "SELECT*FROM"

and i load it with an XML file something like
  <KeyWords>
      <KeyWord Type="parameterized">SELECT*FROM</KeyWord>
      <KeyWord Type="Literal">UNION</KeyWord>
      <KeyWord Type="Literal">INSERT INTO</KeyWord>
      <KeyWord Type="Literal">DROP DATABASE</KeyWord>
      <KeyWord Type="Literal">DROP CUBE</KeyWord>
      <KeyWord Type="Literal">DROP FUNCTION</KeyWord>
      <KeyWord Type="Literal">DROP INDEX </KeyWord>
      <KeyWord Type="Literal">DROP PROCEDURE</KeyWord>
      <KeyWord Type="Literal">DROP TABLE</KeyWord>
      <KeyWord Type="Literal">DROP TRIGGER</KeyWord>
      <KeyWord Type="Literal">DROP VIEW</KeyWord>
      <KeyWord Type="Literal">ALTER DATABASE</KeyWord>
      <KeyWord Type="Literal">ALTER CUBE</KeyWord>
      <KeyWord Type="Literal">ALTER FUNCTION</KeyWord>
      <KeyWord Type="Literal">ALTER PROCEDURE</KeyWord>
      <KeyWord Type="Literal">ALTER TABLE</KeyWord>
      <KeyWord Type="Literal">ALTER TRIGGER</KeyWord>
      <KeyWord Type="Literal">ALTER VIEW</KeyWord>
      <KeyWord Type="Literal">CREATE DATABASE</KeyWord>
      <KeyWord Type="Literal">CREATE CUBE</KeyWord>
      <KeyWord Type="Literal">CREATE FUNCTION</KeyWord>
      <KeyWord Type="Literal">CREATE INDEX </KeyWord>
      <KeyWord Type="Literal">CREATE PROCEDURE</KeyWord>
      <KeyWord Type="Literal">CREATE TABLE</KeyWord>
      <KeyWord Type="Literal">CREATE TRIGGER</KeyWord>
      <KeyWord Type="Literal">CREATE VIEW</KeyWord>
      <KeyWord Type="Literal">SHUTDOWN</KeyWord>
      <KeyWord Type="Literal">SELECT @@SERVERNAME</KeyWord>
      <KeyWord Type="Literal">SELECT @@DATABASE</KeyWord>
      <KeyWord Type="Literal">SELECT @@SERVICENAME</KeyWord>
      <KeyWord Type="Literal">SELECT @@VERSION</KeyWord>
      <KeyWord Type="Literal">ASCII</KeyWord>
      <KeyWord Type="Literal">DUMP DATABASE</KeyWord>
      <KeyWord Type="Literal">DUMP TRANSACTION</KeyWord>
      <KeyWord Type="Literal">BACKUP DATABASE</KeyWord>
      <KeyWord Type="Literal">BACKUP LOG</KeyWord>
      <KeyWord Type="Literal">DTS</KeyWord>
      <KeyWord Type="Literal">DBCC</KeyWord>
      <KeyWord Type="Literal">QUOTENAME</KeyWord>
      <KeyWord Type="Literal">CALL</KeyWord>
      <KeyWord Type="Literal">TRUNCATE</KeyWord>
      <KeyWord Type="Literal">CONNECT TO</KeyWord>
      <KeyWord Type="Literal">CURRENT_USER</KeyWord>
      <KeyWord Type="Literal">DB_ID</KeyWord>
      <KeyWord Type="Literal">DB_NAME</KeyWord>
      <KeyWord Type="Literal">DB_SETTIME</KeyWord>
      <KeyWord Type="Literal">GRANT</KeyWord>
      <KeyWord Type="Literal">DENY</KeyWord>
      <KeyWord Type="Literal">KILL</KeyWord>
      <KeyWord Type="Literal">PERMISSIONS</KeyWord>
      <KeyWord Type="Literal">REVOKE</KeyWord>
      <KeyWord Type="Literal">GET CONNECTION</KeyWord>
      <KeyWord Type="Literal">HAS_DBACCESS</KeyWord>
      <KeyWord Type="Literal">NO_LOG</KeyWord>
      <KeyWord Type="Literal">NO_TRUNCATE</KeyWord>
      <KeyWord Type="Literal">NO_WAIT</KeyWord>
      <KeyWord Type="Literal">OFFLINE</KeyWord>
      <KeyWord Type="Literal">ONLINE</KeyWord>
      <KeyWord Type="Literal">HOST_NAME</KeyWord>
      <KeyWord Type="Literal">PRINT</KeyWord>
      <KeyWord Type="Literal">COMPUTE</KeyWord>
      <KeyWord Type="Literal">PARTIAL</KeyWord>
      <KeyWord Type="Literal">RESTORE</KeyWord>
      <KeyWord Type="Literal">SETUSER</KeyWord>
      <KeyWord Type="Literal">begin</KeyWord>
      <KeyWord Type="Literal">end</KeyWord>
      <KeyWord Type="Literal">declare</KeyWord>
      <KeyWord Type="Literal">IS_SRVROLEMEMBER</KeyWord>
      <KeyWord Type="Literal">IS_MEMBER</KeyWord>
      <KeyWord Type="Literal">HAS_DBACCESS</KeyWord>
      <KeyWord Type="Literal">SUSER_SID</KeyWord>
      <KeyWord Type="Literal">SUSER_SNAME </KeyWord>
      <KeyWord Type="Literal">USER_ID</KeyWord>
      <KeyWord Type="Literal">sp_addlogin</KeyWord>
      <KeyWord Type="Literal">sp_grantlogin</KeyWord>
      <KeyWord Type="Literal">sp_password</KeyWord>
      <KeyWord Type="Literal">sp_ActiveDirectory_Obj</KeyWord>
      <KeyWord Type="Literal">raiserror</KeyWord>
      <KeyWord Type="Literal">1=1</KeyWord>
      <KeyWord Type="Literal">sp_makewebtask </KeyWord>
      <KeyWord Type="Literal">NULL</KeyWord>
      <KeyWord Type="Literal">OPENQUERY</KeyWord>
      <KeyWord Type="Literal">OPENROWSET</KeyWord>
      <KeyWord Type="Literal">Lock table</KeyWord>
      <KeyWord Type="Literal">PARSENAME</KeyWord>
      <KeyWord Type="parameterized">sp_*</KeyWord>
      <KeyWord Type="parameterized">XP_*</KeyWord>
      <KeyWord Type="parameterized">*_XP</KeyWord>
      <KeyWord Type="parameterized">master..*</KeyWord>
      <KeyWord Type="parameterized">master.system.*</KeyWord>
      <KeyWord Type="parameterized">master.dbo.*</KeyWord>
      <KeyWord Type="parameterized">CHAR(*)</KeyWord>
   </KeyWords>
   <WhiteSpaces>
      <WhiteSpace>#13</WhiteSpace>
      <WhiteSpace>#10</WhiteSpace>
      <WhiteSpace>#20</WhiteSpace>
   </WhiteSpaces>
   <Delimiters>
      <Deliminater>'</Deliminater>
      <Deliminater>`</Deliminater>
      <Deliminater>--</Deliminater>
      <Deliminater>"</Deliminater>
      <Deliminater>;</Deliminater>
      <Deliminater>#13</Deliminater>
      <Deliminater>#10</Deliminater>
   </Delimiters>

Kellox wrote:

hi everyone!

i was just wondering if this filter function written in php is safe against
sql injections:

function filter($string) {
  $replace = "";
  $search = array(">", "<", "|", ";");
  $result = mysql_escape_string( str_replace($search, $replace, $string));
  return $result;
}

or could anyone imagine an sql injection attack which bypasses this filter
function?
___________________________________________________________________________
mymail - der unschlagbare und kostenlose E-Mail-Dienst der Schweiz!
http://mymail.ch/?redirect=9999
Kaspersky Anti Virus 6.0 - So schützen Sie Ihren PC zuverlässig!
http://ad.zanox.com/ppc/?4997698C625979254T

<Prev in Thread]	Current Thread	[Next in Thread>
PHP filter function against SQL injections, Kellox Re: PHP filter function against SQL injections, jeffrey rivero <= Re: PHP filter function against SQL injections, jeff Re: PHP filter function against SQL injections, Koen Bossaert Re: PHP filter function against SQL injections, Kellox Re: PHP filter function against SQL injections, jeffrey rivero Re: PHP filter function against SQL injections, Terra Frost Message not available Re: PHP filter function against SQL injections, Terra Frost Re: PHP filter function against SQL injections, Kellox Re: PHP filter function against SQL injections, jeffrey rivero Re: PHP filter function against SQL injections, Nic Stevens FW: PHP filter function against SQL injections, kevin fielder

Previous by Date:	Re: Arp spoffing question, Deian Stefan
Next by Date:	Re: PHP filter function against SQL injections, jeff
Previous by Thread:	PHP filter function against SQL injections, Kellox
Next by Thread:	Re: PHP filter function against SQL injections, jeff
Indexes:	[Date] [Thread] [Top] [All Lists]