Automating insertion of mysql_real_escape_string

StackOverflow https://stackoverflow.com/questions/15096844

Domanda

DISCLAIMER: I UNDERSTAND THE FUNCTIONS ARE ON TOP OF THE TO-DO-DEPRECATION LIST. ALL WARNINGS ARE JUST PREACHING TO THE CHOIR.

anyway. I have found myself in the employment of a company using the mysql_* functions. That isnt bad enough aparently because the entire thing is without mysql_real_escape_string() "great". All user input is unsanitzied, so naturally being the new code monkey, my job is to incorporate it into all 4.93g of php scripts. F.M.L. "So", i thought to myself, "what if i just unset the $_REQUEST array on each page (not sure why but they never used $_POST or $_GET once in the entire program, they literally used $_REQUEST everywhere.) and then reset it with mysql_real_escape_string?". To me, that sure beats going through 1000000000 lines of code. SO I sat down and wrote the function to do it. Here is where im at:

/*lets say input is dirty and input2 is boy*/

    echo "<br><pre>";print_r($_REQUEST);echo "</pre><br>";

$tempString = implode(',', $_REQUEST);
$tempString2 = implode(',', array_keys($_REQUEST));
$tempArray = explode(',', $tempString);
$tempArray2 = explode(',', $tempString2);
$count = count($_REQUEST);
    echo "<br><pre>";print_r($tempArray);echo "</pre><br>";

    echo "<br>";
    echo "<br><pre>";print_r($tempArray2);echo "</pre><br>";

unset($_REQUEST);
   $_REQUEST = array();
   for($i = 0; $i < $count; $i++){
       $_REQUEST[$tempArray2[$i]] = "mysql_real_escape_string(".$tempArray[$i].")";
   }

    echo "<br><pre>";print_r($_REQUEST);echo "</pre><br>";

As far as i can tell it is working!:

Array
(
    [input] => dirty
    [input2] => boy
)


Array
(
    [0] => dirty
    [1] => boy
)



Array
(
    [0] => input
    [1] => input2
)


Array
(
    [input] => mysql_real_escape_string(dirty)
    [input2] => mysql_real_escape_string(boy)
)

but frankly it seems too easy. immediate issues i see are

  1. it only works for $_REQUEST[]
  2. You have to hard code it at the top of every page, even if you set it as a global function and include it
  3. If one thing goes wrong...
  4. mysql_* functions suck i.e. mysql_real_escape_string

as a side note, i can't even tell you how many times i have fought to switch everything from PDO, as you can imagine they dont like the amount of time that would require.

SO

I suppose what im bringing this here to you guys for is, a second pair of eyes. do you see any immediate issues with this? any other immediate issues that i missed? If you guys like this, in any way, as im sure there are other people who could use something like this (if you build it they will come), ill go aheaad and through it on github and work it into my shcedule, thanks :)

È stato utile?

Soluzione

First of all, what you are currently doing makes no sense. You are literally wrapping the words mysql_real_escape_string(...) around user input, which is totally pointless. It does not protect against SQL injection, and it means that the word mysql_real_escape_string will show up all over your input.

If you were to instead call mysql_real_escape_string() on all user input, what you'd have would be an imperfect replica of magic_quotes, with all the issues that entails. In particular, it means that any code which does not pass user input directly to SQL (or which uses mysql_real_escape_string itself appropriately!) will end up displaying SQL-escaped text (e.g, \' all over the place).

There is no real alternative to actually going through your code and reworking it to appropriately escape user input. If you really do have 4.93 GB of PHP to work with, though, something else is horribly wrong -- no application should ever be that large. A codebase of that size is utterly impossible to maintain, and you would probably be best off starting over entirely (or finding a new job).

Altri suggerimenti

There should be no automated insertion of mysql_real_escape_string. Period.

Just because "to reset data with mysql_real_escape_string" is not a synonym for "to protect data from SQL injection". By any means.

What you actually trying to do is just to re-incarnate long time despised, deprecated and already removed magic quotes feature.
Try to think of the reasons.
The reason was one - serial escaping is a sure way to SQL injection

Only one note.

mysql_* functions suck i.e. mysql_real_escape_string

this statement is not true.
this honest function is all right.
It's programmers who are using it improperly, responsible for the any faults.

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top