0

I am modifing an open source tool. I can not find all the function in the scripts. So i planned include my own script to all pages by htacces. I want to clean post data for SQL Injections. So i added this code to my own script:

foreach($_POST as $key=>$value)
{
    $_POST[$key] = str_replace('bad chars for injections', '', $value);
}

foreach($_GET as $key=>$value)
{
    $_GET[$key] = str_replace('bad chars for injections', '', $value);
}

foreach($_REQUEST as $key=>$value)
{
    $_REQUEST[$key] = str_replace('bad chars for injections', '', $value);
}

This can change post values. The tool can use only cleaned data. But if the tool use file_get_contents('php://input') function, it can see original post data. So i can not trust the tool if it use some way like this.

Is there a way to change these input before use by the tool? I mean override function actually.

user2346665
  • 11
  • 4
  • 2
    `clean post data for SQL Injections` nope nope nope. Use prepared statements (properly) instead. – Jonnix Nov 17 '16 at 09:07
  • any well done and actively maintained open source script will use prepared statements which are protected against SQL injections so you should not need to do that. Also, if you found a bug or a possible injection in the source code, you should consider sharing your work with the developers instead of modifying the code just for yourself – ᴄʀᴏᴢᴇᴛ Nov 17 '16 at 09:10
  • Possibly duplicate : http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Jignesh Rawal Nov 17 '16 at 10:32

1 Answers1

0

No. This should be completely avoided at all costs.

Use prepared statements instead. From the PHP documentation:

If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur.

If you're not sure how to use prepared statements, there are plenty of guides on the web. For example:

Ivan Kvasnica
  • 776
  • 5
  • 13
  • Since it is an open source tool that i did not write the codes i do not know all the places and method that tool inserts or updates database. That is why i can not use prepared statement. So i need to do something like i mention. The foreache's are usefull many time i think but if the tool use file_get_contents('php://input') it does not work. – user2346665 Nov 17 '16 at 11:00
  • Sorry, but if you do not know how to change it properly, don't do it this way at all. You're adding a security hole into the project. – Ivan Kvasnica Nov 17 '16 at 13:41