Secure your SQL - My Forums

Re: Secure your SQL

sottwell — May 12, 2006, 11:58 PM

This is nice, because until there is a MODx DB API available for external use, such as in AJAX requests, the back-end request handling code needs to thoroughly validate all incoming data before it gets used.

Re: Secure your SQL

indie — May 12, 2006, 07:58 PM

Quote from: xwisdom at Feb 09, 2006, 04:12 PM

Thanks for sharing susan.

There’s also safehtml for XSS

http://pixel-apes.com/safehtml/

Great piece of code! I was doing something like this just recently but this is way better, thanks for the link!

---Indie

Re: Secure your SQL

rethrash — Feb 09, 2006, 10:28 AM

Now that’s a really cool bit of code. Nice find Raymond!

Re: Secure your SQL

xwisdom — Feb 09, 2006, 10:12 AM

Thanks for sharing susan.

There’s also safehtml for XSS

http://pixel-apes.com/safehtml/

Secure your SQL

sottwell — Feb 09, 2006, 06:43 AM

Taken from the PHP documentation, this works as-is for PHP >= 4.3 to keep evildoers from trying to hack your database. Remember, evildoers can work around any client-side javascript validation!

If you are using the MODx DBAPI, remove the part that sets the single quote if not integer, since MODx adds single quotes.

function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not integer - remove or comment out if using MODx DBAPI
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }

// if using MODx DBAPI uncomment this
//  $value = mysql_real_escape_string($value);

   return $value;
}

Filter all of your incoming data through this:

$val1 = quote_smart($_POST['value1']);
$val2 = quote_smart($_POST['value2']);
$query = "INSERT INTO $dbase.$table (`field1`, `field2`) VALUES ($val1, $val2)";