Data input comparison in PHP

Question

I'm trying to validate input from PHP and possibly detect what type of attack has been attempted (if any).

...

    $data = array($_POST, $_GET, $_COOKIE);

    foreach($data as $entryPoint){
        foreach($SQLi as $vector){
            if($entryPoint==$vector){
                echo 'SQLi detected';
            }
        }
    }
...

And so I have in my $SQLi array the following:

$SQLi  = array(

'UNION ALL','SELECT','DISTINCT','AUTO INCREMENT','VERSION()',
'GROUP','CONCAT','@@VERSION','FLOOR','information_schema',
'COUNT','INSERT INTO','DROP','ORDER BY','UPDATE'

);

I wanna check if any of the elements in that array are present as values of either $_POST, $_GET or $_COOKIE requests. What am I doing wrong?

These types of "attacks" will happen unintentionally, so logging or detecting them will just result in a log file containing single quotes, special characters, etc. Just make sure the code can handle any type of attack, [SQL](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1) or [XSS](http://stackoverflow.com/questions/1996122/how-to-prevent-xss-with-html-php), or others (there are other types). And this idea of checking different arrays doesn't make sense either. — Dave Chen, Jul 14 '14 at 00:48
You're doing wrong everything. This whole idea makes no sense. — zerkms, Jul 14 '14 at 00:48
You are want to find the SQLi keywords *IN* the data, not equal to the data. — Sablefoste, Jul 14 '14 at 00:48
In case you're wondering, you can use `strstr()` to find a string inside another. But really though, this doesn't make much sense... `$entryPoint` will contain arrays (not strings). — Max, Jul 14 '14 at 00:51
agreed with the first two comments. not only is this the wrong implementation of what you are trying to do, what you're trying to do is the complete wrong approach to making a secure PHP application/script. Read up on web security especially with user submitted data and take your time learning this topic and how to prevent attacks. — samrap, Jul 14 '14 at 00:51
That's part of a WAF. I've already sanitized all the input so now I need to detect what has been attempted and report back the results to a 3rd party page. — Sacred, Jul 14 '14 at 00:54
@user3794668: "I've already sanitized all the input" --- it makes no sense either. — zerkms, Jul 14 '14 at 00:55
Ok whatever my purpose, that's not the actual topic after all. — Sacred, Jul 14 '14 at 00:56
Well, stackoverflow community usually prevents users from doing *stupid* things. In this case you've been told multiple times but still confident we're wrong. Good luck then! ;-D — zerkms, Jul 14 '14 at 00:57
@zerkms Seeing how community give answers for wrong questions, I'd say they don't care preventing stupid things to do. — Yang, Jul 14 '14 at 00:59
@djay: a lot of here do care. Including me :-) That's why a lot of people here think I'm a douche bag :-D — zerkms, Jul 14 '14 at 00:59
How should I identify the attack otherwise? This is purely for my own reference and log information. — Sacred, Jul 14 '14 at 01:00
@user3794668: why do you need to identify "the attack" if your app is bullet-proof against it? — zerkms, Jul 14 '14 at 01:02
You should not. This has been done before million times by another developers. You can check how this is done in frameworks — Yang, Jul 14 '14 at 01:02
Let's say to inform the admin of what has been attempted against his web application, restrict the IP, log information about the vector and request itself etc. — Sacred, Jul 14 '14 at 01:03
This needs to be done in OOP-way anyway. You need a validation layer for that — Yang, Jul 14 '14 at 01:04
@user3794668: "restrict the IP" --- so if you click a random link in the internet (possibly short linked one) - you will end up being banned? Anyway, I'm surprised that a confident developer who knows how to develop secured applications cannot implement 3 lines script: 1. loop 2. `stripos` 3. your action — zerkms, Jul 14 '14 at 01:04
Why not use @zerkms's suggestion; compare the before string to the after string (of `stripos`). If they are different, then there was an attack attempt (at least, you can consider it that way in your records). — Sablefoste, Jul 14 '14 at 01:09

g.carvalho97 · Answer 1 · 2014-07-14T01:33:01.590

0

It should be like that:

$data = array($_POST, $_GET, $_COOKIE);
$SQLi  = array(

'UNION ALL','SELECT','DISTINCT','AUTO INCREMENT','VERSION()',
'GROUP','CONCAT','@@VERSION','FLOOR','information_schema',
'COUNT','INSERT INTO','DROP','ORDER BY','UPDATE'

);
foreach($data as $entryPoint){
    foreach($entryPoint as $value){
        foreach($SQLi as $attack){
            if($attack==$value){
                echo "SQLi detected";
            }
        }
    }
}

EDIT: Looks like strpos can break your code, since it will even detect an 'L' as an SQLi.

edited Jul 14 '14 at 01:33

answered Jul 14 '14 at 00:55

g.carvalho97

332
1
9

6

That's still detecting whole string matches, you should be looking for partial matches in the string – scrowler Jul 14 '14 at 00:58
1

Yeah, you might want to replace `in_array()` with `strpos` – Yang Jul 14 '14 at 01:01
@djay Why `strpos` if he wants to see if the contents are in an array? – g.carvalho97 Jul 14 '14 at 01:04
because of scrowler's comment. That's why – Yang Jul 14 '14 at 01:05

Data input comparison in PHP

1 Answers1