-3

I'm requesting help regarding to the best method/function to parse a string AFTER, it as been already, by the parameters. I have a many, many lines of MySql already in place, the prepare statement methods to avoid SQL injections are out of the question, because i don't have the time. Is there any function to parse scape characters on a string, right before i call:

//$sql_query_string_CLEAN = THE PLACE THE PARSING FUCNTION($sql_query_string);
    mysql_query($sql_query_string_CLEAN, $connection);
Edward N
  • 997
  • 6
  • 11
J.Doe Maximus
  • 21
  • 5

1 Answers1

2

By definition this is not possible. To illustrate:

You have a query like so:

SELECT * FROM foo WHERE bar = "$baz"

After injection, it becomes:

SELECT * FROM foo WHERE bar = "42" OR "" = ""

Well... it's a valid SQL statement! You cannot retroactively figure out what you meant. You need to ensure your intended meaning is preserved while creating the query. Escaping or, better, parameterising is the only way to do so.

You can certainly try to bend over backwards and come up with whatever heuristics and artificial intelligence you want, but you will never be able to pull this off 100% correctly. It just devolves into a cat and mouse game of who can come up with the cleverer workaround.

"" = "" is too obvious? Well, let's try "a" = "a". Too obvious? SUBSTR(bar, 1, 0) = ""... Have fun, but never do this in production.

deceze
  • 510,633
  • 85
  • 743
  • 889
  • 1
    Was just writing my own answer, but this tells the whole story, by building the SQL string one looses information about what part belong to the logic and what part belong to the variables. – martinstoeckli Aug 28 '15 at 10:51
  • Thanks a million guys. I was hopping to make a semi fix to this program. the code is a mess and its not mine. I was called to make it safe. But now, im certain that i need about 2 weeks to do it... From heground upis VERY easyto make good code. THNKS a LOT! – J.Doe Maximus Aug 28 '15 at 11:15