$insert_array = array(
"username" => $_POST['username']
);
$db->insert_query('users', $insert_array);
How would i secure this code from SQL injection and still allow ' be used in usernames? $_POST['username'] is directly input by the user.
Total n00b here
Regards
wrap $_POST['username'] (and all other variables of unknown origin or that might contain special cahrs) in $db->escape_string()
"lastposter" => $db->escape_string($lastpost['lastposter']),
If you are using this in an "array", then it is still secure.. isn't it ?
No, it's not. MyBB unfortunately does not escape for you.
(2011-01-11, 01:11 PM)frostschutz Wrote: [ -> ]wrap $_POST['username'] (and all other variables of unknown origin or that might contain special cahrs) in $db->escape_string()
"lastposter" => $db->escape_string($lastpost['lastposter']),
Thanks. I'll try it and report back.
(2011-01-11, 01:17 PM)Yaldaram Wrote: [ -> ]If you are using this in an "array", then it is still secure.. isn't it ?
Well, the SQL query still breaks with an ' in username. I am inserting lots of things along in the query. I trimmed the codes a bit
$insert_array = array(
"username" => $_POST['username']
"password" => $password,
"salt" => $salt,
"loginkey" => $loginkey,
"email" => $_POST['email'],
...
);
$db->insert_query('users', $insert_array);
(2011-01-11, 01:11 PM)frostschutz Wrote: [ -> ]wrap $_POST['username'] (and all other variables of unknown origin or that might contain special cahrs) in $db->escape_string()
"lastposter" => $db->escape_string($lastpost['lastposter']),
Thanks. It worked. + rep
You should also use $mybb->input instead of $_POST and $_GET as that'll automatically sanitize some input for you.
emphasis being on 'some' (not all, and hard to tell which)
for example for any known number type, the sanitizer allows a non-number value "lastposter". Which won't cause problems security wise, but can cause SQL errors, if you trust stuff like tid, pid, etc. to actually be a number. So despite $mybb->input getting sanitized partially, you still need to plaster intval() all over the place.
So in the end, you have to do your own sanitization and escaping. MyBB does not do anything for you here.
(2011-01-11, 01:06 PM)Nayar Wrote: [ -> ]$insert_array = array(
"username" => $_POST['username']
);
$db->insert_query('users', $insert_array);
How would i secure this code from SQL injection and still allow ' be used in usernames? $_POST['username'] is directly input by the user.
Total n00b here
Regards
It's not possible, since you do not know which ' are harmul and which are not. Unless you do some kind of regular expression which would need to be very very complex probably in order to detect all types of injections...just forget your idea.
All ' are harmful. Even if they aren't injections, they'd still cause syntax errors. Escaping them renders either kind harmless. Well, mostly harmless. If someone isn't careful about usernames elsewhere it could turn out like this
http://xkcd.com/327/ - which is probably a good reason to NOT allow it regardless whether your own code can handle it or not.
(2011-01-12, 10:17 PM)Pirata Nervo Wrote: [ -> ]It's not possible, since you do not know which ' are harmul and which are not. Unless you do some kind of regular expression which would need to be very very complex probably in order to detect all types of injections...just forget your idea.
Since $db->escape_string is preventing ' from affecting queries and allows ' be saved in tables, i guess it is pretty much more secure then before.