Posted by Paul Furman on 03/23/06 01:35

Andy Jeffries wrote:

> On Wed, 22 Mar 2006 21:52:11 +0000, Paul Furman wrote:
>
>
>>How to I clean up SQL hacking such as this:
>>/?PAGE=mycode.php&filter_in_url=%27+and+%27a%27%3D%27b%27+UNION+ALL+SELECT+my_table%2C+my_table%2C+my_field%2C+<snip>+FROM+another_table+%23
>>I've got 'filter_in_url' that searches & limits the display but got hacked
>>with something like the above line. I just want a couple words but not
>>huge long malicious type stuff obviously. I will sometimes need to have
>>quotes in the filter string (%27) although now that I check this doesn't
>>currently work but I guess that's a separate issue. I'm not even sure what
>>the %2C or %23 are doing. I suppose I could truncate the filter to a
>>couple dozen characters, there probably isn't much that could be done in
>>the length that I need.
>>
>>My current approach is to str_replace 'JOIN' 'DROP' etc. This is not a
>>high security web page, really boring stuff, just some hacker got bored &
>>decided to pick on it for fun.
>>
>>Thanks
>
>
> I'd go with passing each of your parameter through:
>
> http://uk.php.net/mysql-real-escape-string
>
> It will escape all quotes properly.

But if I want to use quotes, that would remove them right? There are
cases where the user input should have quotes with my application.

[Back to original message]