SQL security

Hello list,

I was just sitting here thinking how to secure my php code and
thought I would run it by the pros. I don't know what the standard
practice is to secure against sql injection and malformed information
passed from forms. This probably has been done several times I just
would like to know if I should do it this way or if there is a better
way.

What I though to do is create a function that simply went through a
variable and removed the quotes. Something that could be used when
pulling the variables from the form right of the bat. i.e.

$form_var = secure($_POST['var'];

after that just do everything else as normal.

So I just really looking for advice on securing my web app.

BTW: any body heard of or use Cisco's VMPS?

Jeremy Russell
Network Administrator, CNI
580.235.2377

--- Jeremy Russell <Jeremy.Russell@chickasaw.net> wrote:
> I was just sitting here thinking how to secure my php code and
> thought I would run it by the pros. I don't know what the standard
> practice is to secure against sql injection and malformed information
> passed from forms. This probably has been done several times I just
> would like to know if I should do it this way or if there is a better
> way.
>
> What I though to do is create a function that simply went through a
> variable and removed the quotes. Something that could be used when
> pulling the variables from the form right of the bat. i.e.
>
> $form_var = secure($_POST['var'];

Watch that closing paren. :-)

I am aware of a project that I believe attempts to do what you are wanting:

http://linux.duke.edu/projects/mini/htmlfilter/

Basically, it tries to help you out by eliminating some common attacks. While
this is certainly better than nothing, it shouldn't be used as an excuse to not
filter your data. This filter uses a blacklist approach, where bad stuff is
filtered. You should add another layer of data filtering that follows a
whitelist approach, where you only allow good stuff.

Doing otherwise makes your application as secure as a Windows workstation with
a virus scanner - you might be protected against known attacks, but as soon as
someone comes up with something new, your defenses are irrelevant.

Hope that helps.

Chris

=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp

On Fri, Oct 17, 2003 at 09:38:12AM -0500, Jeremy Russell wrote:
:
: I was just sitting here thinking how to secure my php code and
: thought I would run it by the pros. I don't know what the standard
: practice is to secure against sql injection and malformed information
: passed from forms. This probably has been done several times I just
: would like to know if I should do it this way or if there is a better
: way.

If you're using MySQL, you can use mysql_real_escape_string(). If
you're using another database, hopefully there is a similar function.

take a look at this
http://phpinsider.com/php/code/SafeSQL/

pete

Jeremy Russell wrote:

> Hello list,
>
> I was just sitting here thinking how to secure my php code and
> thought I would run it by the pros. I don't know what the standard
> practice is to secure against sql injection and malformed information
> passed from forms. This probably has been done several times I just
> would like to know if I should do it this way or if there is a better
> way.
>
> What I though to do is create a function that simply went through a
> variable and removed the quotes. Something that could be used when
> pulling the variables from the form right of the bat. i.e.
>
> $form_var = secure($_POST['var'];
>
> after that just do everything else as normal.
>
> So I just really looking for advice on securing my web app.
>
> BTW: any body heard of or use Cisco's VMPS?
>
> Jeremy Russell
> Network Administrator, CNI
> 580.235.2377