How to bypass this function?

indochien · Post by **indochien** » 28 Apr 2009, 23:41

<?php
//anti_injection.php



 function anti_injection($sql)
 {
 // remove words like: /(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/
  
 $sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql);
 $sql = trim($sql);//limpa espaços vazio
 $sql = strip_tags($sql);//tira tags html e php
 $sql = addslashes($sql);//Adiciona barras invertidas a uma string
 return $sql;
 }




echo anti_injection($word);

 ?>

Hello guys, this is a simple code to block sql string in the url.
I want to test if this funcion is realy secure, i try many ways to bypass that, without sucess.

exemple: anti_injection.php?word=union all select 0 from test

the anti_injection function return NULL to $word.

Post by **ayu** » 29 Apr 2009, 03:49

I don't see how $word has anything to do with this (maybe some left out code?), but I would say this is a well written little piece of code : )

it takes care of all the important characters and words in an SQL query, this effectively protects against injection. So if there is a way to bypass it, I can't see it ^^

Post by **bad_brain** » 29 Apr 2009, 05:12

yeup, I also see no way...URL encoding also don't work because the triggering strings would still be there.

indochien · Post by **indochien** » 29 Apr 2009, 12:59

bad_brain wrote:yeup, I also see no way...URL encoding also don't work because the triggering strings would still be there.

yeah man, i also try URL encoding withou sucess

Post by **Gogeta70** » 29 Apr 2009, 17:19

The only thing i see possibly getting through would be a triple slash (\\\) which would equal a backslash as an escape character (ex. \" or \n, etc.)

I may be wrong though, my regex is kinda rusty