Posted by x0054 on 03/23/06 01:46

Paul Furman <paul-@-edgehill.net> wrote in
news:ublUf.4124$tN3.3662@newssvr27.news.prodigy.net:

> Andy Jeffries wrote:
>
>> On Wed, 22 Mar 2006 21:52:11 +0000, Paul Furman wrote:
>>
>>
>>>How to I clean up SQL hacking such as this:
>>>/?PAGE=mycode.php&filter_in_url=%27+and+%27a%27%3D%27b%27
+UNION+ALL+SE
>>>LECT+my_table%2C+my_table%2C+my_field%2C+<snip>+FROM+another_table+%
23
>>>I've got 'filter_in_url' that searches & limits the display but got
>>>hacked with something like the above line. I just want a couple words
>>>but not huge long malicious type stuff obviously. I will sometimes
>>>need to have quotes in the filter string (%27) although now that I
>>>check this doesn't currently work but I guess that's a separate
>>>issue. I'm not even sure what the %2C or %23 are doing. I suppose I
>>>could truncate the filter to a couple dozen characters, there
>>>probably isn't much that could be done in the length that I need.
>>>
>>>My current approach is to str_replace 'JOIN' 'DROP' etc. This is not
>>>a high security web page, really boring stuff, just some hacker got
>>>bored & decided to pick on it for fun.
>>>
>>>Thanks
>>
>>
>> I'd go with passing each of your parameter through:
>>
>> http://uk.php.net/mysql-real-escape-string
>>
>> It will escape all quotes properly.
>
> But if I want to use quotes, that would remove them right? There are
> cases where the user input should have quotes with my application.
>

No, it will not remove them, it will escape them. That's why it's named
mysql-real-__escape__-string

- Bogdan

[Back to original message]