|
You last visited: Today at 19:16
Advertisement
PHP: SQL Auto Escape
Discussion on PHP: SQL Auto Escape within the Web Development forum part of the Coders Den category.
02/01/2013, 13:14
|
#1
|
elite*gold: 25 
Join Date: Apr 2010
Posts: 1,019
Received Thanks: 331
|
PHP: SQL Auto Escape
Hi Leute,
paar mal wurde ich nun schon gefragt.. Escaped die MySQLi oder die PDO Funktion denn jetzt wirklich die Werte? Und erst Recht die Leute die noch die älteren Versionen nutzen haben öfter probleme mit SQLi und es ist nervig die ganzen Werte immer zu escapen.. Deshalb hab ich ein Script geschrieben, was Abhilfe schafft. Es zieht sich alle Parameter aus den Queries und checkt diese, unabhängig von dem SQL Server auf dem die laufen, durch.
Mit allen Standard-Queries getestet. Wie es mit größeren umfangreichen aussieht, weiß ich leider noch nicht.
Das Skript:
PHP Code:
<?php
/*
* This class provides easy securing of any given SQL query.
* It supports the common format, including custom INSERTS.
*
* Usage:
* Since the class is static there is no need to create an instance
* of it. You can simply secure your query with:
*
*
* Query::Secure($query,$html);
*
*
* If you want HTML tags to be stripped as well (e.g. because they are not needed)
* simply set it to true. The class will handle the rest. This means no longer
* escaping of your variables.
*/
class Query
{
/*
* This variable pattern handles the chars which are allowed to be in the values.
* Please do not change unless you know what you do.
*/
private static $valuePattern = '[a-zA-Z0-9`´\'.-~#!?+=\(\)",]+';
private static $replaceHTML = FALSE;
/*
* This is the main function of the class used to auto-secure any query given.
* If the second parameter is true, it removes HTML characters as well.
*
* @param string $qry The SQL query
* @param bool $html Extended escaping of HTML characters
*
* @return string $qry The escapes SQL query
*/
public static function Secure( $qry, $html = FALSE )
{
// If there are any errors, restore the original query
$query = $qry;
// Set the static variable
self::$replaceHTML = $html;
// Check if the insert into and value keywords can be found. MySQL also offers SET for queries
// so both can be used and need to be strictly seperated to do not get any errors
if(strpos(strtolower($qry),'insert into') !== FALSE && strpos(strtolower($qry),'values') !== FALSE) {
// INSERT INTO VALUES
preg_match_all('/VALUES \(('.self::$valuePattern.')\)/',$query, $params);
$params = explode(',',$params[1][0]);
$query = self::ParseParams($query,$params);
} else {
// INSERT INTO SET, UPDATE, DELETE, ...
preg_match_all('/('.self::$valuePattern.')([\s]){0,}=([\s]){0,}('.self::$valuePattern.')/',$query, $params);
$query = self::ParseParams($query, $params[4]);
}
return $query;
}
/*
* This function is responsible for parsing and replacing the parameters
* given in the query. It uses ParseParam() for each parameter and loops
* through the rest.
*
* @param string $query The SQL query
* @param string $params The parameters in an array
*
* @return string $query The original and parsed SQL query
*/
private static function ParseParams( $query, $params )
{
// Loop through all the parameters with a counter and add replacers to find them later again
$counter = 0;
foreach($params as $param => $value) {
$query = str_replace($value,"[$counter]",$query);
$counter++;
}
// If there is any parameter we can escape
if(!empty($params[0])) {
// Loop through all of the parameter values and replace them with nothing, to escape if needed
foreach($params as $param => $value) {
// Parse it and add it back into the array
$params[$param] = self::ParseParam($value);
}
}
// After all the quotation and replacing, use the placeholders to get back to the original query
$counter = 0;
foreach($params as $param => $value) {
$query = str_replace("[$counter]", $value,$query);
$counter++;
}
return $query;
}
/*
* Parses a given value for SQL validity. So or so it will return a string. There will be no empty result.
* It uses SQL standard syntax for quotation and removing not-needed characters
*
* @param string $param The value which should be checked
*
* @return string $param The escaped value
*/
private static function ParseParam( $param )
{
// Check if a string was given in the query
$count = substr_count($param,'\'');
// Replace all the useless characters which are not allowed
$param = str_replace(array('/','\\','\'','"','`','´'),'',$param);
// If it is a string, add the high quotes back
if($count != 0) {
$param = "'$param'";
}
if(self::$replaceHTML) {
$param = htmlspecialchars($param);
$param = htmlentities($param);
$param = strip_tags($param);
}
return $param;
}
}
?>
Benutzung:
PHP Code:
<?php
include 'query.secure.class.php';
$query = "SELECT * FROM test WHERE id=$id AND name = $name";
$query = Query::Secure($query);
// Weiterverarbeitung
?>
Optional kann man als zweiten Parameter auch noch TRUE übergeben. Damit werden dann alle Zeichen auch noch auf HTML Tags geprüft und diese ebenfalls raus genommen.
Bugs, Verbesserungsvorschläge oder Feedback sind gerne gesehen! 
|
|
|
Similar Threads
|
Shaiya MultiBot v1.6#Auto potion,auto collection,auto stroke,auto skill
06/01/2012 - Shaiya Hacks, Bots, Cheats & Exploits - 12 Replies
http://d1205.hizliresim.com/x/5/5bjkl.jpg
Hello everyone friends.
I took off and I wanted to share the new version of Hilemizin.
Other editions, a new difference:
* Layout option 2.Skill.
One trick from Image;
http://c1205.hizliresim.com/x/4/59sgl.jpg
Use the same fashion as yet.
Slot {1} / Flat Beat Flat Beat Talent = 1 you put in the game.
That it is the other options we.
|
All times are GMT +2. The time now is 19:16.
|
|
