?
Solved

Searching for addslashes

Posted on 2006-07-21
6
Medium Priority
?
2,813 Views
Last Modified: 2011-10-03
Hi there,

We have a web application written in PHP that talks to an MS SQL database running on IIS 6.0.  We need to prevent SQL injection through users typing in ' and then what ever SQL they want to add into form fields etc.  Up to now we have used addslashes() which is fine, however we want a global solution to ensure that we haven't missed any.  However we don't want to go through the entire product (over 500 pages of source code) and remove every addslashes.  We already have lots of code that deals with database queries, because we support MSSQL and MySQL so we break the query strings apart and ensure they are in the correct format for each database type etc.

What we want is the ability to incorporate into this code the ability to check if slashes have been added or not, and if not then add them.  I'm thinking regular expressions would be the way to go but I have no experiance with these.  Obviously just adding slashes to a query won't work as take this string:

INSERT INTO table (field1, field2) VALUES( 'test', 'test2')

Adding slashes will produce:

INSERT INTO table(field1, field2) VALUES(\'test\', \'test2\')

This is not correct.

So any ideas?  Loads of points as we need a solution by Monday.

Cheers,

Tom
0
Comment
Question by:jbclelland
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 40

Accepted Solution

by:
Richard Quadling earned 1000 total points
ID: 17152735
mysql has mysql_real_escape_string()

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

mssql doesn't have one.

From the PHP Manual ...

Using mysql_real_escape_string() around each variable prevents SQL Injection. This example demonstrates the "best practice" method for querying a database, independent of the Magic Quotes setting.

copy to clipboard
<?php
// Quote variable to make safe
function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not a number or a numeric string
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }
   return $value;
}

// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
   OR die(mysql_error());

// Make a safe query
$query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s",
           quote_smart($_POST['username']),
           quote_smart($_POST['password']));

mysql_query($query);
?>

The query will now execute correctly, and SQL Injection attacks will not work.

You could construct your own equivalent code for an mssql_real_escape_string which does the same thing.
0
 
LVL 10

Expert Comment

by:wildzero
ID: 17152794
I agree with RQuadling - I use the quote_smart function for all my sql these days
0
 

Author Comment

by:jbclelland
ID: 17152858
We have an equivalent to this in add_slashes.  So your querywould be:

<?
// Make a safe query
$query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s",
           addslashes($_POST['username']),
           addslashes($_POST['password']));

mysql_query($query);
?>

To clarify - we need a regualar expression that can search for where we havent used addslashes for example:

<?
// Make a safe query
$query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s",
           $_POST['username'],
           $_POST['password']);

mysql_query($query);
?>

Is there a regular expression that could for example look for quoted strings, and then find when they are broken and see if addslashes is contained within the breaks, otherwise flag it?

Your solution is a good one, but we need to search for where we haven't done it!
0
 
LVL 5

Assisted Solution

by:floorman67
floorman67 earned 1000 total points
ID: 17169362
then use a drop in security class that sanitizes data, ensures an actual client connect, and stops injection, XSS, and brute force scouting

http://obscurity.ws/filepipe.php?fn=ccisecurity.php
http://obscurity.ws/filepipe.php?fn=filepipe.php
http://obscurity.ws/filepipe.php?fn=soapsecurity.php

0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question