[Ask]PHP SQL INJECTION (Hex)

07/06/2015 03:15 banktakung#1
PHP Code:
    $username bin2hex($_POST['username']);
    $pass1 bin2hex($_POST['pass1']);
    $pass2 bin2hex($_POST['pass2']);
    $dpass1 bin2hex($_POST['dpass1']);
    $dpass2 bin2hex($_POST['dpass2']);
    $email bin2hex($_POST['email']);
    $gander bin2hex($_POST['gander']);
    $pincode bin2hex($_POST['pincode']);
    // TEST HEX QUERY
    $hex_sql mssql_query("SELECT * FROM ACCOUNT_TBL WHERE account = '".hex($username)."'");
    $hex mssql_fetch_array($hex_sql);
    echo $hex['account'];

function hex($h)
  {
  if (!is_string($h)) return null;
  $r='';
  for ($a=0$a<strlen($h); $a+=2) { $r.=chr(hexdec($h{$a}.$h{($a+1)})); }
  return $r;
  } 


is it safe??? or i should use pdo :handsdown::handsdown:
07/06/2015 03:47 Synatex#2
Always use an abstraction layer. It does not matter if it's PDO or any other, just try to remove those old mssql_* and mysql_* functions, they'll be deprecated soon.
07/06/2015 04:28 banktakung#3
Quote:
Originally Posted by Synatex View Post
Always use an abstraction layer. It does not matter if it's PDO or any other, just try to remove those old mssql_* and mysql_* functions, they'll be deprecated soon.
what should i use for protect sql injection ?
07/06/2015 11:11 tschulian#4
Smth like that:

- preg_replace

07/06/2015 18:14 Synatex#5
Quote:
Originally Posted by banktakung View Post
what should i use for protect sql injection ?
In normal cases (if you're talking about SQL injection only) all those new abstraction layers offer variable escaping. As example: In a normal prepared query using PDO all the variables you bind are escaped.

If you're using MySQLi there is a function called real_escape_string().
07/09/2015 21:18 xEncounter#6
Quote:
Originally Posted by Synatex View Post
In normal cases (if you're talking about SQL injection only) all those new abstraction layers offer variable escaping. As example: In a normal prepared query using PDO all the variables you bind are escaped.

If you're using MySQLi there is a function called real_escape_string().
the function real_escape_string() is also available in mysql...

[Only registered and activated users can see links. Click Here To Register...]

The only real way to prevent sql injection is the use of prepared statements.

In pdo it's somethin like :

PHP Code:
$pdo = new PDO("mysql:host=;dbname=","root","toor");

$query $pdo->prepare("SELECT * FROM user WHERE id  = ?");
$query->bindParam(1,$id,PDO::PARAM_INT);
$query->execute(); 
07/10/2015 00:42 Synatex#7
Quote:
Originally Posted by xEncounter View Post
the function real_escape_string() is also available in mysql...

[Only registered and activated users can see links. Click Here To Register...]

The only real way to prevent sql injection is the use of prepared statements.

In pdo it's somethin like :

PHP Code:
$pdo = new PDO("mysql:host=;dbname=","root","toor");

$query $pdo->prepare("SELECT * FROM user WHERE id  = ?");
$query->bindParam(1,$id,PDO::PARAM_INT);
$query->execute(); 
First of all: The case you have linked will not be able to be used in like 99% of real running systems. However, you're right that mysql has the same function but as I stated above: mysql_* is deprecated soon and the usage of it should not be taught to new users.

However, if you're taking this really rare case as an example for not using real_escape_string() then you should note that your statement is not true as well.

In the same stackoverflow post in which it says that real_escape_string() can be bypassed is also stated that prepared statements can be bypassed - saying that PDO is more secure is not really true since you still have to configurate it correctly. And if we get into configuration you could say that any system which is configured correctly can not or just in a really few cases be attacked.

To sum it up: Change the charset and be sure to use UTF-8 and all this hex shit won't even happen.
07/10/2015 01:53 manulaiko3.0#8
I use htmlentities, appart from avoiding SQL injection also avoids XSS injection, this is my function:

Code:
/**
 * XSS and SQL Injection Fix
 *
 * Will receive a string as parameter and will be parsed to HTML to avoid XSS
 * injection, can be used to avoid SQL injection too}
 *
 * @param string text text to parse
*
* @return string sanitized text
*/
public static function sanitize ($text)
{
    $table = get_html_translation_table ( HTML_ENTITIES , ENT_QUOTES );
    $textArray = str_split ($text);
    $result = array ();

    //Loop text to find HTML entities
    foreach($textArray as $key => $value) {
        if(isset ($table[$value])) {
            //Get HTML value
            $value = $table[$value];
        }
        //Add it to array
        $result[] = $value;
    }

    //parse new lines to HTML and build string
    $str = nl2br ( implode( "" , $result));
    $ret = str_replace ( "\r\n" , "" , $str);

    return $ret;
}