www.webdeveloper.com
Results 1 to 11 of 11

Thread: Sanitizing a key variable

  1. #1
    Join Date
    May 2005
    Posts
    212

    Sanitizing a key variable

    Is this line a reasonable way to sanitize an input of a primary key value to prevent SQL injection attacks?

    PHP Code:
        $post_id_sanitized sprintf("%u",mysql_real_escape_string($_POST['id'])); 
    Thanks in advance, I've got a lot of new stuff to work through here.

    Rob

  2. #2
    Join Date
    May 2005
    Posts
    212
    Partially answering my own question, I threw this in a page:
    PHP Code:
    $request_input_sanitized sprintf("%u",mysql_real_escape_string($_REQUEST['input']));
    echo 
    "".$_REQUEST['input']."<br />$request_input_sanitized"
    Then I loaded the page in the browser with the following query string;
    Code:
    temp.php?input=rew123ture;select * from devices
    The return I got was this;
    Code:
    123ture;select * from users
    123
    Line two suggests that the function does indeed strip away the malicious code (imagine a 'drop' statement instead of 'select') and force the data to numeric.

    However, I'd still welcome input from others to tell me if I'm missing something. Perhaps this isn't always as effictive as it appears to be here.

  3. #3
    Join Date
    May 2005
    Posts
    212
    A quick correction to that last.

    If my input string started with rew123ture, I got a zero returned, if my input string started with numbers, I got the numbers, with the trailing string stripped away.

  4. #4
    Join Date
    Oct 2010
    Location
    Ohio
    Posts
    233
    Sprintf &#37;u type casting as unsigned integer. If you want it to be a string, you would need to use %s instead. When PHP converts a string to a number, it starts at the beginning and goes on until it finds a non-numeric character. This means that if it starts with a non-numeric character it will return 0, otherwise the beginning numbers.

    For more info about how PHP changes type cast see this info on type juggling.

    HTH
    Last edited by Derokorian; 07-31-2011 at 02:52 PM.
    ~Ryan
    www.rdennispallas.com <-- Personal Site, changing regularly cuz its ugly.

  5. #5
    Join Date
    May 2005
    Posts
    212
    Thanks for that good info.

    I take it then that this is a valid way to sanitize inputs.

  6. #6
    Join Date
    Aug 2010
    Location
    Ohio
    Posts
    136
    using the proper escape_string function (in this case mysql_real_escape_string) along with building the query via sprintf is very acceptable way to sanitize input, just make sure you are typecasting the variables into the query the way you want them. %s for strings, %d for decimals, %u for unsigned integers, etc =D All the options can be found on the sprintf manual.

  7. #7
    Join Date
    May 2005
    Posts
    212
    Thank you for your input.

    I'd like to ask one more detail;

    When sanitizing inputs for my PHP/MySQL, I'm not positive what needs to be covered.

    Do I only need to sanitize those SQL queries that have components that come from a form or query string, or do I need to sanitize all queries regardless?

    Are the queries without form or URL input good to sanitize but not absolutely neccesary?

    I have a considerable amount of work to do to clean up a web application, and I'm not positive what needs to be done as I'm new to this aspect of PHP/MySQL.

  8. #8
    Join Date
    Aug 2010
    Location
    Ohio
    Posts
    136
    Personally I sanitize everything that can be found in a superglobal array, IE: $_GET, $_POST, $_COOKIE, and even $_SESSION tho the last may not be truly necessary. Anything hard coded, such as the table name, column names, join equalities and unchanging where clauses don't need any special sanitizing, they just need to be well formed queries.

    Just remember its always better to sanitize something that won't be harmful, than to leave something unsanitized that can be harmful.

  9. #9
    Join Date
    May 2005
    Posts
    212
    That's good info, thanks.

    I've been thinking more in terms of POST and GET; I might have missed cookies and session variables.

    I've got a lot of work ahead of me but I've got a better picture of what I need to do.

    Thanks again,

    Rob

  10. #10
    Join Date
    Aug 2010
    Location
    Ohio
    Posts
    136
    I don't know what editor your use, or how your variables are currently placed into the queries. But if they are inserted in a standard way thru all scripts and you use Komodo Edit you could create regex replacement pattern to update all your queries at once! (this is why I love KE so much)

  11. #11
    Join Date
    May 2005
    Posts
    212
    I use Notepad++ and I'm sure I could use regex with it. Unfortunately, because I learned PHP/MySQL as I wrote this webapp, the structure is not as disciplined and consistent as it would be if I wrote it today.

    This may be an opportunity to impose some order on it, but I probably won't rewrite all the static queries.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles