php - How to prevent SQL (mySQL) Injection through plain escaping (not using prepared statements) -


this question has answer here:

first of all, let's 1 thing straight, while im sure it's not solution sql injections, prepared statements better , more secure... that's granted.

so let's not debate anymore, needed explore escaping options , target user inputs rather statement..

(a bit of story) have huge application w/ lots of basic sql statements need make "safer" in short period of time. converting statements pdo monster of task requires resources not available situation.

but thing there's hook in application incoming $_get/$_post passes through function before making available plain variable in scripts... ( eg.globalize($_post) )

so i'm looking target function instead , focus on "cleaning" user input ...

i pretty got grasp of sql injection techniques, , of concept, such as: 1) whenever there user input involved in statement, that's when attacker has opportunity 2) main mission break statement's quoting simple single or double quotes string, or character codes, in attacker's input.. 3) escaping @ preventing sql injections except situation when database character encoding able ready multibyte representations of nasty illegal strings , script based escaping misses it.

based on above premise, if:

1) sql statements follow standard user input quoted using single quotes always, therefore there no guess work me anymore on type of quote need escape (single quotes)

2) user inputs (post / get) go through function (eg. globalize() ) addslashes() , globalizes each variable

3) intranet application , scripts can made aware of database encoding support.

question: threats available in above situation , how can handle them?

...i looking adding routines globalize() function similar mysql_real_escape_string() .. or go far "tweaking" sql statements use mysql_real_escape_string() lot easier/faster programming statements on each sql query..

ps of course script may never secure prepared statements, need make hard enough attackers (not looking 100% bullet proof not worth it)

using

mysql_real_escape_string($link,$non_escaped_string);

see here: http://php.net/manual/en/mysqli.real-escape-string.php


Comments

Post a Comment

Popular posts from this blog

java - How to specify maven bin in eclipse maven plugin? -

i have eclipse maven plugin coming on centos. how can execute maven command on linx like: mvn clean package [abigail@localhost ~]$ mvn bash: mvn: command not found how should specify path executable of maven plugin in eclipse? or have install maven seperately? thanks. eclipse (m2e) have bundled central parts of maven inside eclipse plugin, why not detected, , not usable. investigation find correct way bootstrap it, have create launcher file manually. if want run maven outside of eclipse, far better off standalone version of maven. mvn command bootstrap maven runtime system correctly, , secondly, able use advice concerning use of maven. maven binaries quite stable, wouldn't need upgrade upgrade eclipse. you can subsequently switch eclipse use external installation if prefer.
Read more

single sign on - Logging into Plone site with credentials passed through HTTP -

i using plone 4.3.3 , new plone development. here trying achieve: i have site going redirect plone site. in http url line redirects plone site pass username whereas plone site should automatically log user username in without asking credentials password. not care safety or encryption @ point. how achieve that? (i guess need somehow modify existing login view, how do that?) thanks. i had same problem , @ end i've developed own pas plugin. i've followed next steps: create pas plugin implement extractcredentials method following this example implement authenticatecredentials method following this example add plugin develop section in build.conf. start plone , open zope console. go acl_users folder , add plugin pas system there examples here can use templates.
Read more

php - Why does AJAX not process login form? -

i writing simple login script in php form. can't work. there wrong ajax. when click submit button doesn't anything. this login html form: <form id="login_form"> <input type="text" class="input_field" name="username" id="username" value="gebruikersnaam" onclick="if(value=='gebruikersnaam'){ this.value='' }"/> <input type="password" class="input_field" name="password" id="password"/> <input type="submit" class="login_button" id="login_button" value="ga door"/> </form> this ajax: $(document).ready(function(){ $("#login_form").submit(function() { $.ajax({ type: "post", url: 'php/login_check.php', data: $("#login_form").serialize(), // serializes form...
Read more