php - Short Solution for SQL Injection Attacks with MySQLI -

-

i've gotten habit of writing following sort of code:

$q = mysqli_query($mysqli,"select * table a='$a', b=$b;"); while ($row = mysqli_fetch_array($q)) {     //     }

where $a string entered user (gotten through $_get) , $b user-entered integer.

obviously code have above vulnerable sql injection attacks, habit rewrite this:

$q = mysqli_query($mysqli,"select * table a='".str_replace("'","",$a)."', b=".($b+0).";");

but of course has problems if $a needs have apostrophes (or quotation marks when quotation marks used mark string).

recently learned prepared statements in mysqli , started playing around them. wrote following function make easier make calls without having change of code:

function safequery($a,$b,$c) {     global $mysqli;     $q = mysqli_prepare($mysqli,$a);     $e = "mysqli_stmt_bind_param(\$q,\$b";     $i = 0;     while ($i < count($c)) {         $e.=",";         $e.="\$c[$i]";         $i++;         }     $e.=");";     eval($e);     mysqli_stmt_execute($q);     return $q;     }  safequery("select * table a=? , b=?;","si",array("unsafestring",37));

but returned function turns out not mysqli_result , doesn't work first bit of code above. after more research, found alternative, require complete rethink of how write code. necessary or possible protect against mysql injection attacks small changes first bit of code (no new lines, same output style, etc.)?

i have looked around on stackoverflow , rest of web can't find simple solution; of them require edition of @ least 3 more lines every call , different way of reading each row. i'd prefer procedural-y...

don't think half-measures going solve problem. commit expunging of interpolation bugs code , disciplined using prepared statements. proposed fix makes things worse, gives false sense of security. it's considerably more work using prepared statements i'm not sure why you'd bother doing way.

one way make lot easier switch using double quotes " single quotes ' on queries disable interpolation. escaping errors become syntax problems, , if editor highlights you'll able spot them across room, , if fluke work you'll inserting harmless things $a instead of actual data.

another thing consider if should using orm doctrine or propel given know sophistication of application. these can make things considerably easier implementation perspective.

the code have there ticking time bomb, rid of can. don't think replacing quotes enough, solves 1 issue, there's number of other methods application can vulnerable injection bugs. tools sqlmap have entire arsenal of things can try break code , if @ list of things can if finds flaw you'll want fix these problems right away.

one way can find issues using tool grep:

grep query `find -name '*.php'` | grep '\$'

that's not bulletproof, should turn lot of code should fix right away.

also @ceejayoz suggests, purge function eval in computer , never, ever again.


Comments

Post a Comment

Popular posts from this blog

Export Excel workseet into txt file using vba - (text and numbers with formulas) -

-
i new vba have developed code use in excel move text/numbers txt file. issue have 3 functions need go same txt file. when run first function has set fs = createobject("scripting.filesystemobject") set = fs.createtextfile(module1.nys45uploadfilename, true) a.writeline (str) a.close. the other 2 functions had save. set fs = createobject("scripting.filesystemobject") set = fs.savetextfile(module1.nys45uploadfilename, true) a.writeline (str) a.close. the first function go txt file, other 2 error object doesn't support property or method. when changed 3 create last function goes txt file. can not figure out word use in order make other 2 functions follow txt file in order keyed. the entire code follows private sub addrecord_click() on error goto errhandler module1.nys45uploadfilename = application.getsaveasfilename(filefilter:="textfiles (*.txt), *.txt") if module1.nys45uploadfilename = "false" exit sub
Read more

wordpress - (T_ENDFOREACH) php error -

-
creating wordpress website , i'm getting following php error: parse error: syntax error, unexpected 'endforeach' (t_endforeach) in /home/soralmedia/public_html/wp-content/themes/soral media/woocommerce/myaccount/my-orders.php on line 98 here's code file: <?php /** * orders * * shows recent orders on account page. * * template can overridden copying yourtheme/woocommerce/myaccount/my-orders.php. * * however, on occasion woocommerce need update template files , (the theme developer). * need copy new files theme maintain compatibility. try this. * little possible, happen. when occurs version of template file will. * bumped , readme list important changes. * * @see http://docs.woothemes.com/document/template-structure/ * @author woothemes * @package woocommerce/templates * @version 2.5.0 */ if ( ! defined( 'abspath' ) ) { exit; } $my_orders_columns = apply_filters( 'woocommerce_my_account_my_orders_columns', array(
Read more

Using django-mptt to get only the categories that have items -

-
sample structure: all uppercase: category mixed case: item root ├── books │   ├── fiction │   │   └── classics │   └── non-fiction ├── clothing └── electronics ├── laptops ├── phones │   ├── apple │   │   ├── iphone 6 │   │   ├── iphone 6 plus │   │   ├── iphone 6s │   │   └── iphone 6s plus │   ├── motorola │   │   ├── moto g4 │   │   ├── moto g4 play │   │   ├── moto g4 plus │   │   └── moto x │   └── samsung └── tablets └── apple i'm trying have index page show "electronics" category. "clothing" category shouldn't show since it's empty , "books" category shouldn't show either since, although has child categories, child categories don't have items. similarly, "electronics" page should show "phones" category. "laptops" category shouldn't show since it's empty , "tablets" category shouldn't show either since
Read more