Cleansing Strings

[Callan S.]

In terms of SQL injection, wouldn't the following code stop that issue? I know there are commands out there like strip tags and such. But with this code snippet it's just hardcore in that it only allows lower case letters, upper case letters and numbers through into a cleaned string. Nothing else. And really, do you need anything else (if you want exclamation marks and such, you can always find a character list and mod the code)

Obviously set $stringtoclean to whatever you want to clean. Then only use the output, which is $cleanstring

Code: Select all

<?php
$stringtoclean="/fdsf3434!!!thing//";


$cleanstring="";
for ($loop=1;$loop<=strlen($stringtoclean);$loop+=1)
    {
    $sample=substr($stringtoclean, $loop, 1);
    $sampleord=ord($sample);
    // now to test it
    if ($sampleord>=48 && $sampleord<=57) $cleanstring.=$sample; // Numbers
    if ($sampleord>=65 && $sampleord<=90) $cleanstring.=$sample; // Capital letters
    if ($sampleord>=97 && $sampleord<=122) $cleanstring.=$sample; // Lower case letters
    }


echo $cleanstring;
?>

[PaxBritannia]

Provided you pass all your variables through it, it would definitely stop sql injections.

The question is: is it really necessary ? The computing time doesn't justify it for low-security applications. A simple function could just as easily remove 99% of injections. I see the point of being secure, but I would rather pass everything through a simple function, than only some variables through an intensive one. Then again, efficiency won't be such a big problem in a bbg, but nor will security.

Code: Select all

function saq($string)
{ 
  $string = mysql_real_escape_string($string);
  return $string;
}

Whatever sanitisation method you use, it'll be handy to make it into a function. The function here is what I use, and it'll do the job well enough for most purposes.

Ita Stet

[Jackolantern]

I have to agree. Even if you do need to write your own SQL injection functions, regular expressions are going to be much, much more efficient than manually parsing every character of the strings. And like Pax said, there are functions that will handle about 99% of most SQL injection attacks. Heck, just using the more modern and preferred "mysqli" library instead of "mysql" eliminates all SQL Statement Injection attacks since it only allows the processing of 1 statement at a time unless you use a specific function. And those are the most dangerous ones, since those include attacker's ability to drop tables, make new users, etc. After that you are just having to worry about attackers adding things like " or 1 = '1' " to the end of password fields and the like. Still bad, but not typically catastrophic like SQL statement injections.

[Callan S.]

Aren't you putting too much weight on efficiency? Currently the only places in my game I have for user entered strings are in user name and password. That's going to happen once each per registration. I've played other browser games and in the few places they allow a user entered string, it's not something the user would do every day, let alone over and over.

Really 99% isn't good enough. You wouldn't lock your house with a lock that 1% of the time doesn't work, even if that lock took 1 second to lock instead of 4 seconds? I'll take security over efficiency, particularly when whole databases/hacked new users are at stake.

[Jackolantern]

That is 99% accuracy using only native functions. Then Regular Expressions can plug up the other parts that you can plug up.

As far as the question of efficiency, yes it is extremely important. By giving users an opportunity to cause a string parsing action on the server, you are handing them a DOS attack opening. For security sake, every routine that is open to the user to cause must be painstakingly optimized, especially if 99% is not good enough!

[Callan S.]

Yes, but offering them a game at all offers them a DOS attack anyway. The actual game code has dozens of if statements in it.

Then Regular Expressions can plug up the other parts that you can plug up.

I'll tell you my experience - and I've said this in a data sanitation thread before. Every time I think I've got all the required functions, someone hints there other other method (yourself included) but doesn't go into them. I don't like this continual blindside where there's always this little other angle apparently. I'd prefer to sacrifice a small amount of efficiency for that.

Anyway, for anyone who wants to use something like it, there it is.

[PaxBritannia]

efficiency won't be such a big problem in a bbg, but nor will security.

Then again, I always sanitise cookies.

For security sanitise all user input and cookies. You don't need to sanitise results from the DB.
Use an DB account with limited privileges. Close all DB sessions after all queries performed.
Use mysqli when querying.
Only query the columns you need and not * (all). (More for scalability)
Don't use sessions, but cookies. (More for scalability)(I should really write an article about scalability)

pax.