Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

Good or Bad idea?


  • Please log in to reply
30 replies to this topic

#1 BlaineSch

BlaineSch

    CC Leader

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1559 posts

Posted 22 August 2009 - 11:00 AM

So I recently had somebody ask me to make a function to filter a query, which shed some light on something I *could* do. So I made this but do you guys think its a good idea or a time waster? (Not my time but server time)

Obviously this still has room for injection and such, I was thinking about expanding it to allow me to input other things, like if I knew it was just for selects, I could make sure it only selects, or if I knew no joins where in it, I could make sure there were no joins, but I am not sure.

If anything I could just take out the logging feature, which I think could come in handy if I got hacked or something.

Note: this is for public use on a site, not like the admin section, I know I will not truncate or drop a table from the public pages.

Function:
function mysql_query_bs($input) {
$ret = -1; //will stay the same if we filter at all
$ip = $_SERVER[REMOTE_ADDR];
$encoded = base64_encode($input);
$todo = array('/TRUNCATE(.*)?TABLE/i','/DROP(.*)?TABLE/i','/exec\((.*)?\)/i','/passthru\((.*)?\)/i','/eval\((.*)?\)/i','/system\((.*)?\)/i','/exec\(/i','/passthru\(/i','/eval\(/i','/system\(/i');
if(strlen(preg_replace($todo, '', strip_tags($input)))==strlen($input)) {
$ret = 1; //will return if it is successful
$query = mysql_query($input);
if(!$query) {
$ret = -2; //query did not execute
} else if(mysql_num_rows($query)==0) {
$ret = -3; //no rows to return
} else {
while($row=mysql_fetch_assoc($query)) {
$rows[] = $row;
}
}
}
mysql_query("INSERT INTO `qlog` SET `ip`='$ip', `query`='$encoded', `return`=$ret");
return ($ret==1)?$rows:$ret;
}


Use:
$var = $_POST['var'];
$query = mysql_query_bs("SELECT * FROM `global` WHERE 'name'='$var'");
if(is_array($query)) {
print_r($query); //put a foreach() or something here
} else {
echo "Error Code: ".$query;
}


Output:
Error Code: -1

  • 0

#2 Orjan

Orjan

    CC Mentor

  • Moderator
  • 2918 posts
  • Location:Karlstad, Sweden
  • Programming Language:C, Java, C++, C#, PHP, JavaScript, Pascal
  • Learning:Java, C#

Posted 22 August 2009 - 11:07 AM

why not return the result instead, so you can handle it yourself if needed? that's how I do in my own query function at least.
  • 0

I'm a System developer at XLENT Consultant Group mainly working with SugarCRM.
Please DO NOT send mail or PM to me with programming questions, post them in the appropriate forum instead, where I and others can answer you.


#3 BlaineSch

BlaineSch

    CC Leader

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1559 posts

Posted 22 August 2009 - 11:11 AM

It returns the results that I can use in the foreach which was commented out.
return ($ret==1)?$rows:$ret; //1 means there is something to return


How does your function work Orjan?
  • 0

#4 Guest_Jordan_*

Guest_Jordan_*
  • Guest

Posted 22 August 2009 - 11:13 AM

I'm confused, it looks like you are trying to protect SQL queries from having certain keywords but why don't you just use a different user for the front end that can't make these type of queries?
  • 0

#5 BlaineSch

BlaineSch

    CC Leader

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1559 posts

Posted 22 August 2009 - 11:14 AM

Cause that is too simple.
  • 0

#6 Guest_Jordan_*

Guest_Jordan_*
  • Guest

Posted 22 August 2009 - 11:17 AM

lol. Indeed.
  • 0

#7 BlaineSch

BlaineSch

    CC Leader

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1559 posts

Posted 22 August 2009 - 11:20 AM

I do not have to manage 3 users if I do this method, one for public basic, public advanced, and one admin one.

Users don't filter joins and such as well though too :D mine does not either... but it could! Mine also logs :D
  • 0

#8 Guest_Jordan_*

Guest_Jordan_*
  • Guest

Posted 22 August 2009 - 11:43 AM

Well then... I would use MySQLi. The MySQL library is being replaced by MySQLi and will not be "defaulted" into PHP6 anyway so you should get use to using it.
  • 0

#9 BlaineSch

BlaineSch

    CC Leader

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1559 posts

Posted 22 August 2009 - 11:44 AM

Where do you see the proof for this at? I had to use it once and really did not like it lol

Geez PHP is taking away all the stuff I use... I do not like these changes!
  • 0

#10 BlaineSch

BlaineSch

    CC Leader

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1559 posts

Posted 22 August 2009 - 12:00 PM

I may be missing something, but when I create a new user, TRUNCATE is not an option I can allow/disallow.
  • 0

#11 Guest_Jordan_*

Guest_Jordan_*
  • Guest

Posted 22 August 2009 - 12:09 PM

I don't see the option for it, either, but if you just allow them to "select" that is all they can do regardless of the missing option. :) How are you creating new users?

Proof? What? From my blog post of course: "ext/msql has been removed, while ext/ereg will now raise E_DEPRECATED notices"

http://forum.codecal...5-3-alpha3.html

I didn't link to the source though but it is somewhere on php.net
  • 0

#12 BlaineSch

BlaineSch

    CC Leader

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1559 posts

Posted 22 August 2009 - 12:11 PM

Screw PHP lol, I am starting to dislike it haha
  • 0




Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download