Articles :: PHP :: Use hex to protect against SQL
written by Toby Miller on August 4, 2005 August 4, 2005
I was stumbling around the php function library one day looking for some better ways to handle sql injection with php and mysql. I thought I might get lucky and find a few pointers in the function comments. Well I found the following comment:
You can avoid a whole slew of problems by converting your strings to hex (bin2hex) before passing them to mySQL
by codeslinger
The original quote can be found here http://us3.php.net/en/mysql_escape_string.
It was so obvious that it almost hurt. Why isn't this common practice? I talked to several of my peers about it and couldn't find any flaws with the theory so I wrote the following code:
source code:
1:<?php
2:
3:/**
4: * Prevent SQL Injection by converting all text values into hex before executing as SQL
5: *
6: * @param string sql value
7: * @return string cleaned up sql value
8: * @access public
9: */
10:function sql2hex($sql)
11:{
12: if ($sql == '')
13: {
14: return("''");
15: }
16: else
17: {
18: return('0x' . bin2hex($sql));
19: }
20:}
21:
22:?>
So the normal way that you're probably used to seeing sql escaped in php is probably like this:
source code:
1:<?php
2:
3:$sql = "insert into mytable (name, value) values ('testname', '" . mysql_escape_string($testval) . "')";
4:
5:?>
While this is FAR better than not using mysql_escape_string at all it's still not foolproof. There's more than one way to craft a string than mysql_escape_string was built to accomodate. The only way to completely prevent injection into these text fields is if they're not text at all. I know that there are hundreds of methods out there for dealing with this situation, but I liked this one the most because of its simplicity. The final implementation then looks like this:
source code:
1:<?php
2:
3:$sql = "insert into mytable (name, value) values ('testname', " . sql2hex($testval) . ")";
4:
5:?>
Notice that the function will either find an empty value and return a set of empty quotes or it will return a hex encoded string which is ready for SQL execution. Now the script kiddies will have to come up with another way in because sql injection has been blocked. At least that's the general idea. =)
permalink
|
Natural Living (5)
Heating & Cooling (1)
Herbal Remedies (1)
Personal (0)
Family (1)
Humor (11)
Miscellaneous (1)
Politics (5)
Technology (2)
System Administration (4)
Linux (1)
Solaris (0)
Web Development (2)
CSS (3)
Design (1)
Flash (1)
JavaScript (11)
PHP (1)
CakePHP (1)
Web Browsers (2)
Firefox (1)
Internet Exploder (0)
Netscape (1)
|
