SQL Injection Qs
 

How do you strip non alphanumeric characters from a string? I noticed people suggesting globalize() then setting each variables type to STR or INT, etc. Does the STR do that (I noticed it uses trim).

How does using trim compare with addslashes or the built-in mysql commands?

Thanks

Have you read the relevant manual pages for trim() and addslashes()?

Yes, read both of them.

Produces \'a\'

and

produces 'a'

How would I just show the a?

I think you would use stripslashes() when accessing the information with whatever query. I'm still learning too though.

If you want to REMOVE all quotes, you would have to use a str_replace or preg_replace.

If you just want to create a version of your string that is safe to insert into a SQL, use addslashes to store, and if needed stripslashes later to retrieve the original string (vB does stripslashes automaitc in some cases).

Or use mysql_real_escape_string() instead of addslashes.
I am writing a script for my site which is not vB powered, and it automatically strips the slashes from the mysql_real_escape_string()'d result.

Yep mysql_real_escape_string should be used instead of addslashes :) To strip non-alphanumeric characters you would use something like this:

I still have not found a good reason to prefer mysql_real_escape_string above the defacto standard in vB scripts addslashes.

You should probably avoid using it as vB is designed (mostly) so that the database layer is below the application layer. Rephrased, it is not coded to be used just with MySQL through the use of the database wrapper class which can be modified to use any other supporting SQL-capable database.

It seems to escape more than quotes, but I thought it was only quotes that caused the problem. For example, it also escapes newlines for some reason. But, they wrote a full page on SQL injection at http://us4.php.net/manual/en/securit...-injection.php .

You are talking about mysql_real_escape_string i suppose?

Yes, meaning I prefer addslashes(), although I didn't even know that MySQL function existed.

So do i. I mean addslashes does the job, it is used everywhere else in vB code, and it is much easier to type. :D

Just found all these replies.. lol

Thanks:) preg_replace was the main thing I was looking for.

Why preg_replace?

I thought that a sql injection was when you did something like:

$myval=$_POST['myvalus'];
$results=$DB_site->query("SELECT * FROM bob WHERE frank='$myval'");

SInce there is no cleansing of $myval, people could take advantage of it by maybe creating a page that posted the $myval variable to be something like
SInce there is an apostraphe in there, your SQL command ends and people can append system commands after it.

Using addslashes escapes characters that would break the 'string' representation of the above so it would end up:

yea\'; INSERT MALICIOUS CODE HERE


Now they couldnt escape out of the string no matter how much system code was put in.

It was my understanding that globalize uses addslashes on STR's, intval on INTs (which turns the above into 0 as it isnt an integer) and it also addslashes AND converts HTML characters into codes when using STR_NOHTML.

Am I missing something?

Nope you are not missing much, except that he clearly asked how to remove the quotes. I also don't know why he want that, but that was the question.

Well I'm new to this stuff, but wouldn't preg_replace strip the ; as well as the ' making them unable to do that? Also (this may soon be irrelevant) how would I allow spaces from that statement? ( $string = preg_replace('/[^A-Za-z0-9]+/', '', $string); )

Which do you guys prefer for a text input? => STR or => STR_NOHTML?

STR_NOHTML and addslashes, because using preg_replace it will remove all non-alphabet char. I've tested it since my personal hack was having SQL injection with searching, I used preg_replace the search print out nothing but addslashes can.

btw, how many ways available to detect for SQL injection ?

2







Left eye and right eye.

actually 3 i use brail