2

I'm working on a site where contents pages are handled with mod_rewrite and I'm trying to make the URL managed with mod_rewrite protected from SQL injections with some char restriction, because users can create pages contents like this:

http://site.com/content-type/Page-created-by-user

My doubts come when they insert something like:

http://site.com/architect/Giovanni+Dall'Agata

I need to insert ' char because I can have names like this for example of famous architects, but I don't know if I can keep data safe and how prevent SQL injections with this character.

Should I do something particular to prevent attacks?

I'm using PDO class in PHP like this:

$architect = strip_tags (trim ($_REQUEST["architect"]));

// pdo class etc..
$pdo_stmt->bindParam (":arch", $architect, PDO::PARAM_STR);
// and the other code here...

Users can't create pages with these chars: < > / \ * ? = should I ban ' and " too? Or should I permit only one of ' and " chars or can I use them together and keep server safe?

ajreal
  • 46,720
  • 11
  • 89
  • 119
vitto
  • 19,094
  • 31
  • 91
  • 130
  • 3
    From a design perspective, you really want to be guarding against SQL injection as close to the database as possible instead of relying on other layers of your application--like your mod_rewrite rules--to provide that protection. Your use of bound parameters in PDO is highly recommended in this regard. – Schwartzie Dec 12 '10 at 16:56

2 Answers2

2

$stmt->bindParam (and bindValue, and in general, prepared statements) are safe against SQL injection. All serious SB frameworks support a way of adding parameters to a query, and values added that way are sanitized. You should always do that and never insert variables data coming from users (see comments) manually into an SQL query string.

That still leaves the question of XSS injections, which are easier to miss (though also less dangerous); to avoid them, make sure you always use htmlspecialchars($var,ENT_QUOTES) (or urlencode, depending on the context).

Tgr
  • 27,442
  • 12
  • 81
  • 118
  • However, sometimes we have to add a variable or two into query directly anyway. It's better to be armed for such a case instead of just forbidding it. – Your Common Sense Dec 12 '10 at 15:21
  • I would avoid it as a rule, unless it is a constant or otherwise obviously uncompromisable by the user. It is not enough for the code to be secure; it should *look* secure. Makes the probability of accidental slip-ups much smaller. – Tgr Dec 12 '10 at 15:28
  • so, you'd better add it to the answer or at least mention that you are talking of data only. Because prepared statements can protect only data and can't help with any other part of query. – Your Common Sense Dec 12 '10 at 16:09
  • I was not too clear probably. It's not matter of terms used. It's rather of understanding. See what I mean, examples at the bottom: http://stackoverflow.com/questions/2993027/in-php-when-submitting-strings-to-the-db-should-i-take-care-of-illegal-characters/2995163#2995163 – Your Common Sense Dec 12 '10 at 21:40
0

PDO automatically escapes characters like ' so you should be ok, just make sure you have register_globals and magic_quotes turned off and always use bindParam for your queries.

Also if your talking about creating dynamic URL's you shouldn't have the ' character in them anyways. I always use:

$str = preg_replace("([^0-9a-zA-Z\-])", "", $str);

Which removes anything thats not 0-9, a-z or a dash from the string.

fire
  • 21,383
  • 17
  • 79
  • 114