0

I have a PHP site which has a lot of POST and GET variables.

For each of the POST and GET variables on every page I have added as follows:

If I needed only numbers in the [POST/GET] variable...

$post_q_time_post = preg_replace('~[^0-9]+~', '', $_POST["q_time_post"] );

If I needed Text / Numbers ..

$post_oldp = preg_replace('~[^a-zA-Z0-9]+~', '', $_POST['oldp'] );

And then used the stripped variable all over the page.

How secure is my site now? Is it possible to do SQL injection of any other PHP based attack now ? If so, what additional steps I should do ?

Thanks.

huz_akh
  • 93
  • 1
  • 9
  • It's secure as not even having a login system.. Please use prepared statements. That's the way out.. – Rotimi Nov 24 '17 at 18:46
  • 1
    Don't reinvent the wheel, use prepared statement with parameterized queries. – FirstOne Nov 24 '17 at 18:48
  • @Akintunde I have a login system, a login page that sets a $_SESSION variables and then a function at the beginning of all the pages that checks for this $_SESSION and if not found it redirects to login page. – huz_akh Nov 24 '17 at 19:00
  • @FirstOne I have seen that page , but I have many queries over many pages it would take quite some time to change all. In the meantime I put up this as it was quicker and easier to implement. So my question is still.. am I secure? as some of my students love to play around. – huz_akh Nov 24 '17 at 19:02
  • 2
    You'd get more problems with this approach than from doing things _right_. Imagine a person uses a password that's changed by your function, and later you change that function in a way that now it returns a different value than before. If you're really worried about _security_, you already know the path. I'm sorry I can't vouch for the security of this method - as in not capable. – FirstOne Nov 24 '17 at 19:05
  • A sidenote, as said in the following question - [SQL injection that gets around mysql_real_escape_string()](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) -, you're not always safe just because the is no quotation marks, for example. Take a query that assumes int: `SELECT * FROM foo WHERE my_int_val = $val`. If $val is `0 or 1=1`, you have valid content that still got injected. Of course, this would fall into the first code of yours, but still, it's a risk. – FirstOne Nov 24 '17 at 19:07
  • @FirstOne Right now I manually create and give out number only passwords, but in the future if users create their own, I see your point. As for your second answer of "0 or 1=1" the "=" sign and the " " is also stripped off so now it becomes "0or11", would that be risky as well ? Thanks. – huz_akh Nov 24 '17 at 19:18

0 Answers0