Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
Reload this Page SQL Injection Qs
FAQ Community Calendar Today's Posts Search

Reply
Page 1 of 2 1 2
 
Thread Tools Display Modes
  #1  
Old 04-20-2005, 01:31 AM
Adrian Schneider's Avatar
Adrian Schneider Adrian Schneider is offline
 
Join Date: Jul 2004
Posts: 2,528
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default SQL Injection Qs
How do you strip non alphanumeric characters from a string? I noticed people suggesting globalize() then setting each variables type to STR or INT, etc. Does the STR do that (I noticed it uses trim).

How does using trim compare with addslashes or the built-in mysql commands?

Thanks
Reply With Quote
  #2  
Old 04-20-2005, 02:07 AM
filburt1 filburt1 is offline
 
Join Date: Feb 2002
Location: Maryland, US
Posts: 6,144
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Have you read the relevant manual pages for trim() and addslashes()?
Reply With Quote
  #3  
Old 04-20-2005, 03:08 AM
Adrian Schneider's Avatar
Adrian Schneider Adrian Schneider is offline
 
Join Date: Jul 2004
Posts: 2,528
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Yes, read both of them.

PHP Code:
<?php

$input "'a'";
$output addslashes($input);

echo $output;
?>
Produces \'a\'

and

PHP Code:
<?php

$input "'a'";
$output trim($input);

echo $output;
?>
produces 'a'

How would I just show the a?
Reply With Quote
  #4  
Old 04-20-2005, 03:49 AM
Guest190829
Guest
  
Posts: n/a
Default
I think you would use stripslashes() when accessing the information with whatever query. I'm still learning too though.
Reply With Quote
  #5  
Old 04-20-2005, 06:03 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
If you want to REMOVE all quotes, you would have to use a str_replace or preg_replace.

If you just want to create a version of your string that is safe to insert into a SQL, use addslashes to store, and if needed stripslashes later to retrieve the original string (vB does stripslashes automaitc in some cases).
Reply With Quote
  #6  
Old 04-20-2005, 09:30 AM
Revan's Avatar
Revan Revan is offline
 
Join Date: Jan 2004
Location: Norway
Posts: 1,671
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Or use mysql_real_escape_string() instead of addslashes.
I am writing a script for my site which is not vB powered, and it automatically strips the slashes from the mysql_real_escape_string()'d result.
Reply With Quote
  #7  
Old 04-20-2005, 12:06 PM
Dean C's Avatar
Dean C Dean C is offline
 
Join Date: Jan 2002
Location: England
Posts: 9,071
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Yep mysql_real_escape_string should be used instead of addslashes To strip non-alphanumeric characters you would use something like this:

PHP Code:
$string preg_replace('/[^A-Za-z0-9]+/'''$string); 
Reply With Quote
  #8  
Old 04-20-2005, 01:11 PM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I still have not found a good reason to prefer mysql_real_escape_string above the defacto standard in vB scripts addslashes.
Reply With Quote
  #9  
Old 04-20-2005, 01:46 PM
filburt1 filburt1 is offline
 
Join Date: Feb 2002
Location: Maryland, US
Posts: 6,144
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
You should probably avoid using it as vB is designed (mostly) so that the database layer is below the application layer. Rephrased, it is not coded to be used just with MySQL through the use of the database wrapper class which can be modified to use any other supporting SQL-capable database.

It seems to escape more than quotes, but I thought it was only quotes that caused the problem. For example, it also escapes newlines for some reason. But, they wrote a full page on SQL injection at http://us4.php.net/manual/en/securit...-injection.php .
Reply With Quote
  #10  
Old 04-20-2005, 03:18 PM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by filburt1
You should probably avoid using it as vB is designed
You are talking about mysql_real_escape_string i suppose?
Reply With Quote
Reply
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 12:48 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.20386 seconds
  • Memory Usage 2,252KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (3)bbcode_php
  • (1)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (9)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete