Thursday, 29 June 2017

php - SQL-safe method

Answer


Answer





Context: I'm trying to convince a friend to switch to using parameterized queries to prevent SQL injections and other malicious attempts as that is the standards these days but he has this mentality of "If it's not broken, don't fix it."



Here's the code he currently uses:




function sql_safe($text) {
    return str_replace("'", "''", $text);
}


Is there a way for me to break this function to illustrate to him that this approach is not advisable anymore? I've been trying but I can't break it myself so now I'm turning to you guys for help.



Additional Info



It's being used as a general means to protect the system from SQL injections so that user inputs are escaped properly. But I feel like his approach could break at certain scenarios which I haven't figured out yet.



Answer



Here's your code:



function sql_safe($text) {
    return str_replace("'", "''", $text);
}
echo "SELECT * FROM db WHERE field = '" . sql_safe($argv[1]) . "';\n";



And here's the most obvious way of breaking it:



$ php ./x.php "\' OR TRUE; -- MySQL"
SELECT * FROM db WHERE field = '\'' OR TRUE; -- MySQL';


has covered the topic of SQL injection extensively over the years. See for example Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes? . There's a neat trick in there that exploits "maximum length of string" to truncate just one of the replacement ''s.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

casting - Why wasn't Tobey Maguire in The Amazing Spider-Man? - Movies & TV

In the Spider-Man franchise, Tobey Maguire is an outstanding performer as a Spider-Man and also reprised his role in the sequels Spider-Man...