Posted by Andy Jeffries on 03/23/06 01:02

On Wed, 22 Mar 2006 21:52:11 +0000, Paul Furman wrote:

> How to I clean up SQL hacking such as this:
> /?PAGE=mycode.php&filter_in_url=%27+and+%27a%27%3D%27b%27+UNION+ALL+SELECT+my_table%2C+my_table%2C+my_field%2C+<snip>+FROM+another_table+%23
> I've got 'filter_in_url' that searches & limits the display but got hacked
> with something like the above line. I just want a couple words but not
> huge long malicious type stuff obviously. I will sometimes need to have
> quotes in the filter string (%27) although now that I check this doesn't
> currently work but I guess that's a separate issue. I'm not even sure what
> the %2C or %23 are doing. I suppose I could truncate the filter to a
> couple dozen characters, there probably isn't much that could be done in
> the length that I need.
>
> My current approach is to str_replace 'JOIN' 'DROP' etc. This is not a
> high security web page, really boring stuff, just some hacker got bored &
> decided to pick on it for fun.
>
> Thanks

I'd go with passing each of your parameter through:

http://uk.php.net/mysql-real-escape-string

It will escape all quotes properly.

Cheers,


Andy


--
Andy Jeffries MBCS CITP ZCE | gPHPEdit Lead Developer
http://www.gphpedit.org | PHP editor for Gnome 2
http://www.andyjeffries.co.uk | Personal site and photos

[Back to original message]