What is the use of preg_match('/(benchmark|sleep)/i', $id)

Question

I today i start to read different articles about SQLi and DoS/DdoS to know how to protect my site and i found this thing :

Link: link to the article

 // DB connection

    // $id = (int)$_GET['id'];
    $id = $_GET['id'];

    $result = mysql_query("SELECT id,name,pass FROM users WHERE id = $id")
 or die("Error");

    if($data = mysql_fetch_array($result))
     $_SESSION['name'] = $data['name'];



    if(preg_match('/(benchmark|sleep)/i', $id))
     exit('attack'); // no timing

I want to know the use of this.Also after this the guy show how to bypass it and i want to know if PDO is secury?

you should also read up on mysql injection and use prepared statements instead of the mysql_* functions or at least use `mysql_real_escape_string` — Lawrence Cherone, Feb 27 '12 at 10:48
Oh.. This is (10000%) a wrong usage of $id, is a numeric field, then do a casting OR escape value will do ... — ajreal, Feb 27 '12 at 10:51
Thanks @LawrenceCherone but i use PDO so i dont use mysql_real_escape_string — Ben, Feb 27 '12 at 10:54
You can read about `preg_match` in the PHP manual, it should give you some pointers: http://php.net/preg_match - Your question is rather broad, you should re-word it to make more clear what exactly your issue is. — hakre, Feb 27 '12 at 10:57
@Lawrence mysql_real_escape_string won't help with this code. Go figure. And it is NOT because something wrong with mysql_* functions but with PHP users who just have no idea how to use them. — Your Common Sense, Feb 27 '12 at 11:51

score 1 · Answer 1 · edited Feb 27 '12 at 11:52

1

if(preg_match('/(benchmark|sleep)/i', $id)) checks if the $id matches the strings benchmark or sleep (the i stands for case-insensitive).

In the context it's presented I'd say this makes no sense what so ever though... I'd rather do this, and be done with it:

$id = (int) $_GET['id'];

$result = mysql_query('SELECT id,name,pass FROM users WHERE id = '.$id);

Notice I cast the id to an int, so if it's anything else it should just end up being 0, which most likely doesn't match anything since id columns usually starts on 1 (from my experience anyways).

edited Feb 27 '12 at 11:52

Your Common Sense

156,878
40
214
345

answered Feb 27 '12 at 10:58

Svish

152,914
173
462
620

For the same purpose, I use the `intval` function: `$id = intval($_GET['id']);` – J. Bruni Feb 27 '12 at 11:38
1

It worths mentioning that the regular expression would match `benchmark` or `sleep` at any point of the string (it would match "somesleeps", for example)... to match only the exact words, the regex would be `/^(benchmark|sleep)$/i` – J. Bruni Feb 27 '12 at 11:41
@J.Bruni matching exact words makes no sense in this context. – Your Common Sense Feb 27 '12 at 11:48
1

@Col.Shrapnel: indeed, makes no sense from the security point of view; I am only clarifying what the answer says, and "teaching" a two cents bit about regular expressions – J. Bruni Feb 27 '12 at 11:50
I don't use any of these "parametrization" stuff like PDO or anything else. I do use the "placeholder" approach. Usually, simple like this: `$sql = sprintf('SELECT field FROM table WHERE somefield = "%1$s";', intval($param));`, where the "placeholder" can be anything... a comma-separated list of values for an INSERT or IN clause, a string value, "ASC" or "DESC" for an ORDER BY direction... just **ANYTHING**! [continues...] – J. Bruni Feb 27 '12 at 12:09
And, of course, each parameter replacing each placeholder will have its unique special treatment, going from an `intval` to a specific whitelisting or escaping function (a special case, for example, is to prepare a string for "LIKE" clauses)... we simply can't generalize, each case is a case, from simple to complex. We may want to dynamically build any part of the query, and for each part there is an appropriate approach. – J. Bruni Feb 27 '12 at 12:11
So if i use PDO and bindParam() am i safe ? – Ben Feb 27 '12 at 12:31
@MarianPetrov Probably yes. I'd probably use `bindValue` instead though. Looks simpler :) – Svish Feb 27 '12 at 12:36

score 1 · Answer 2 · edited May 23 '17 at 12:12

1

I want to know the use of this

That's quite silly and apparently useless attempt to detect a possible SQL injection which is supposed to run a resource-consuming query.

Also after this the guy show how to bypass it

No wonder.
Once you have a code open to injection, thaere are thousands methods to run it.

The only your concern should be injection in general.

Once you protected - no ddos injection would be possible.

i want to know if PDO is secury?

First, it is not PDO secure, but strict and constant use of prepared statements considered secure.

Second, nope, prepared statements helps only half the problem

edited May 23 '17 at 12:12

Community

1
1

answered Feb 27 '12 at 11:35

Your Common Sense

156,878
40
214
345

Hey, you linked us to an "edit" page! :) The link shoud be http://stackoverflow.com/a/8255054/370290 – J. Bruni Feb 27 '12 at 11:52
I made a mistake, too! My latest two comments saying I also apply a **placeholder** approach were supposed to be done for your answer (not the other where the comments were added)... – J. Bruni Feb 27 '12 at 12:12
Well, feel free to move it here. I am using the same (yet more powerful) approach – Your Common Sense Feb 27 '12 at 12:21
So if i use PDO and bindParam() am i safe ? – Ben Feb 27 '12 at 12:25
@Marian Please follow the link I am emphasized especially for your convenience. Thank you in advance. – Your Common Sense Feb 27 '12 at 12:32

What is the use of preg_match('/(benchmark|sleep)/i', $id)

2 Answers2