MySQL INJECTION Solution...
Posted
by Val
on Stack Overflow
See other posts from Stack Overflow
or by Val
Published on 2010-05-07T09:45:32Z
Indexed on
2010/05/07
9:48 UTC
Read the original article
Hit count: 320
I have been bothered for so long by the MySQL injections and was thinking of a way to eliminate this problem all together. I have came up with something below hope that many people will find this useful.
The only Draw back I can think of this is the partial search: Jo =>returns "John" by using the like %% statement.
Here is a php solution:
<?php
function safeQ(){
$search= array('delete','select');//and every keyword...
$replace= array(base64_encode('delete'),base64_encode('select'));
foreach($_REQUEST as $k=>$v){
str_replace($search, $replace, $v);
}
}
foo();
function html($str){
$search= array(base64_encode('delete'),base64_encode('select'));
$replace= array('delete','select');//and every keyword...
str_replace($search, $replace, $str);
}
//example 1
...
...
$result = mysql_fetch_array($query);
echo html($result[0]['field_name']);
//example 2
$select = 'SELECT * FROM safeQ($_GET['query']) ';
//example 3
$insert = 'INSERT INTO .... value(safeQ($_GET['query']))';
?>
I know, I know that you still could inject using 1=1
or any other type of injections...
but this I think could solve half of your problem so the right mysql query is executed.
So my question is if anyone can find any draw backs on this then please feel free to comment here.
PLEASE GIVE AN ANSWER only if you think that this is a very useful solution and no major drawbacks are found OR you think is a bad idea all together...
© Stack Overflow or respective owner