By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
429,326 Members | 2,873 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 429,326 IT Pros & Developers. It's quick & easy.

security: validate post and get varis for mysql query

P: 8
hello all,

ive been wondering latley if someone could change a get variable, so he can change a sql statement that way, that he could delete data from my database.
the following ive thought of:

$_GET['someinput'] = "123"

$sql = "select * from test where id = '".$_GET['someinput']."'";
.....

so if someone would change the url from
http://test/index.php?someinput=123
to something like
http://test/index.php?someinput=123'; delete from test where '1
i thought he might be able to empty my database or do even worse things.

so my idea was to generally search for keywords in the post and get data, so things like that are not possible anymore.

iv done the following function, that i will put on top of every file, that includes the conncetion files for the database:

[PHP]
function valiMySQLInput_1($getinp){ return str_ireplace("'","",$getinp); }
function valiMySQLInput_2($getinp){ return str_ireplace("\"","",$getinp); }
function valiMySQLInput_3($getinp){ return str_ireplace(",","",$getinp); }
function valiMySQLInput_4($getinp){ return str_ireplace(";","",$getinp); }
function valiMySQLInput_5($getinp){ return str_ireplace("(","",$getinp); }
function valiMySQLInput_6($getinp){ return str_ireplace(")","",$getinp); }
function valiMySQLInput_7($getinp){ return str_ireplace("FROM","",$getinp); }
function valiMySQLInput_8($getinp){ return str_ireplace("LIKE","",$getinp); }
function valiMySQLInput_9($getinp){ return str_ireplace("WHERE","",$getinp); }

function valiMySQLInput()
{
global $_GET, $_POST;
//make get and post input secure for db useage
if (!get_magic_quotes_gpc())
{
$_GET = array_map('addslashes', $_GET);
$_POST = array_map('addslashes', $_POST);
}
$_GET = array_map('valiMySQLInput_1', $_GET);
$_POST = array_map('valiMySQLInput_1', $_POST);
$_GET = array_map('valiMySQLInput_2', $_GET);
$_POST = array_map('valiMySQLInput_2', $_POST);
$_GET = array_map('valiMySQLInput_3', $_GET);
$_POST = array_map('valiMySQLInput_3', $_POST);
$_GET = array_map('valiMySQLInput_4', $_GET);
$_POST = array_map('valiMySQLInput_4', $_POST);
$_GET = array_map('valiMySQLInput_5', $_GET);
$_POST = array_map('valiMySQLInput_5', $_POST);
$_GET = array_map('valiMySQLInput_6', $_GET);
$_POST = array_map('valiMySQLInput_6', $_POST);
$_GET = array_map('valiMySQLInput_7', $_GET);
$_POST = array_map('valiMySQLInput_7', $_POST);
$_GET = array_map('valiMySQLInput_8', $_GET);
$_POST = array_map('valiMySQLInput_8', $_POST);
$_GET = array_map('valiMySQLInput_9', $_GET);
$_POST = array_map('valiMySQLInput_9', $_POST);

}
[/PHP]

can someone more experienced say if that makes sense, ord if i should do something else? is there anything i am missing concerning security issues of this kind?

thanks for answers on this.

best

trom
Dec 19 '07 #1
Share this Question
Share on Google+
1 Reply


Markus
Expert 5K+
P: 6,050
Yes.
Don't use $_GET
Validate $_POST input using provided PHP functions

e.g.
htmlspecialchars($string, ENT_QUOTES)
Dec 21 '07 #2

Post your reply

Sign in to post your reply or Sign up for a free account.