Preventing attacks when you cannot filter data

[victor123]

Have read the sticky posts, i am developing a site in php+mysql. Because the characteristics of the fields i am dealing with, it is not possible filtering them, so that another type of approach must be used.
I read the example of bound parametes. Unfortunately, it is perl, not php. Could somebody give me some clues at how to prevent attacks when the fields in the form cannot be filtered?
Many thanks in advance.
Cheers.

[nickk]

Hmm I am interested to hear as to why you cannot filter them, what kind of field is this? More info could help us solve your problem

[victor123]

Hi,

With filtering i refer to the following:

Many fields in a form (e.g. phone) contain only certain characters, so that you can check whether the fields you receive are correct or not (a first check in client and a security check in server). Thus, in the server side i filter all fields checking their validity.

The problem is that some fields cannot be checked because you have to allow all characters. These fields are a threat because anyone can insert sql code. At this moment, the only solution i have come up with is checking these fields for occurences of certain sql words (such as insert, delete, select, drop and so on). I believe this is not very efficient, and that was the reason of my posting.

Thanks a lot.

[nickk]

If I understand correctly, you have input fields, which are used in sql queries. If this is the case, (and you are using mysql) there is a function, addslashes() that adds a / infront of all characters that could cause a sql injection. the / escapes the character infront of it so mysql does not parse it. when you are retreiving the data that you did addslashes on, you use the function stripslashes to remove these /

[Alexei Kubarev]

well... the problem can be fixed by simply adding slashes (addslashes() or addcslashes()) to the user data and enclosing everything with ´

This will give you the security you need..

the query would look like this:

Code: Select all

<?php $sql = "SELECT * FROM table WHERE field_name= ´".addslashes($_POST['field_name_or_something'])."´"; ?>

[Alexei Kubarev]

nickk is almost right..it actually adds / infront of every single/double quote

[victor123]

All right, many thanks to you both. Is it more convenient to use addslashes or mysql_escape_string?

Thanks again.

[Alexei Kubarev]

hmmz... i would say adding slashes... but that however is more up to you...
adding slashes will make it a bit more portable in my opinion

[bezmond]

Also try using the strip_tags() function - I find this very useful for removing unwanted HTML tags (I don't want links or bold being posted!)

Andrew