vb.org Archive
Page 2 of 2 1 2
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB3 Programming Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=15)
-   -   SQL Injection Qs (https://vborg.vbsupport.ru/showthread.php?t=80217)

filburt1 04-20-2005 02:26 PM
Yes, meaning I prefer addslashes(), although I didn't even know that MySQL function existed.

Marco van Herwaarden 04-20-2005 02:50 PM
So do i. I mean addslashes does the job, it is used everywhere else in vB code, and it is much easier to type. :D

Adrian Schneider 04-23-2005 11:12 PM
Just found all these replies.. lol

Thanks:) preg_replace was the main thing I was looking for.

The Geek 04-24-2005 06:43 AM
Why preg_replace?

I thought that a sql injection was when you did something like:

$myval=$_POST['myvalus'];
$results=$DB_site->query("SELECT * FROM bob WHERE frank='$myval'");

SInce there is no cleansing of $myval, people could take advantage of it by maybe creating a page that posted the $myval variable to be something like
PHP Code:
yea'; INSERT MALICIOUS CODE HERE 
SInce there is an apostraphe in there, your SQL command ends and people can append system commands after it.

Using addslashes escapes characters that would break the 'string' representation of the above so it would end up:

yea\'; INSERT MALICIOUS CODE HERE


Now they couldnt escape out of the string no matter how much system code was put in.

It was my understanding that globalize uses addslashes on STR's, intval on INTs (which turns the above into 0 as it isnt an integer) and it also addslashes AND converts HTML characters into codes when using STR_NOHTML.

Am I missing something?

Marco van Herwaarden 04-24-2005 06:58 AM
Nope you are not missing much, except that he clearly asked how to remove the quotes. I also don't know why he want that, but that was the question.

Adrian Schneider 04-24-2005 04:02 PM
Well I'm new to this stuff, but wouldn't preg_replace strip the ; as well as the ' making them unable to do that? Also (this may soon be irrelevant) how would I allow spaces from that statement? ( $string = preg_replace('/[^A-Za-z0-9]+/', '', $string); )

Which do you guys prefer for a text input? => STR or => STR_NOHTML?

deathemperor 04-27-2005 02:25 PM
STR_NOHTML and addslashes, because using preg_replace it will remove all non-alphabet char. I've tested it since my personal hack was having SQL injection with searching, I used preg_replace the search print out nothing but addslashes can.

btw, how many ways available to detect for SQL injection ?

Marco van Herwaarden 04-27-2005 02:34 PM
Quote:
Originally Posted by deathemperor
btw, how many ways available to detect for SQL injection ?
2







Left eye and right eye.

twoseven 04-27-2005 05:58 PM
actually 3 i use brail


All times are GMT. The time now is 12:26 AM.
Page 2 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01503 seconds
  • Memory Usage 1,728KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_php_printable
  • (1)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (9)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete