While reading a source code, a script which was vulnerable to SQL injection attacks. My code is :

PHP Code:

<?
<?        
$en = $_REQUEST;

        $req = $en["req"];
if($req = "search"){
print "query";
}
?>

The thing i want is that, only specific characters like, a-z , 0-9 and [] are allowed and nothing else character should be allowed when someone access http://www.mysite.com/index.php?req=search , here if some user enters http://www.mysite.com/index.php?req=1' , then it gives up error like you have an error in your mysql ......... , i want to remove all other characters to be processed.

Any help will be appreciated allot.!!

Best Regards:

PoliteBoy!!

PHP Code:

<?php
 
$en = $_REQUEST;
 
if(ctype_digit($en['req']) || ctype_alpha('req')){
 
/// its clean
 
}else{
 
/// its dodgy
 
}
 
?>

mysql_real_escape_string()

Both posts include things you should look at using in conjunction with any database work you do. However, I believe what you want is to use Regular Expressions (RegEx) to determine whether or not someone has used illegal characters in your variables (you could use 'ctype_alnum()' if you didn't want the square brackets to be legal characters []) .

In ctype_alnum you are only allowed 0-9, a-z and A-Z. Anything other than this (even a blank space --> <--) is illegal and will cause the function to return false.

However, if you NEED to have square brackets in the variables then it is best you use regular expression. This is something that is common to most languages though sadly it's not my strong point. The website below will help detail how it works;

http://www.regular-expressions.info/

You would then need to use the PHP ereg() function to search a string for illegal characters.

Anyone else...?

Ps. Don't use the $_REQUEST array unless you seriously have to. I've been coding PHP for over a year and have only used it ONCE (and that was to give some flexibility).

If you are expecting a variable to come from the query string then use the $_GET array. If you are expecting a variable from a form submission then use the $_POST array.

It'll lead to much more secure programming.

You are all reading way too deeply into this. If a $_GET var is supposed to be a number, all you need to do is clean it with intval:

website.com?page=1

PHP Code:

$clean_page = intval($_GET["page"]); 


If a variable is supposed to be a string, all you need to do is escape it with mysql_real_escape_string:

website.com?page=fancy_name

PHP Code:

$clean_page = mysql_real_escape_string($_GET["page"]); 


Now, either example is safe to append to a SQL query.

Security in depth via redundant safe guards - it's never a bad thing )

sure, but there is no way past intval... Either its a number, or nothing. And I'm not aware of an vulnerabilities in the latter function either. Why do all the heavy lifting? Chances are greater that you'll miss something.

Of course, this is coming from a guy who builds his own encryption functions ... ... so I may be a lousy example