Here is the steel strong sanitizer:<div><br></div><div><div>$npaa = "$_POST[anpa]";</div><div>$nxxa = "$_POST[anxx]";</div><div>$blocka = "$_POST[ablock]";</div><div><br></div><div># Sanitize</div>
<div>$blocka_san = strspn("$blocka", "0123456789");</div><div><br></div><div><b>if ($blocka_san==4 && is_numeric($npaa) && is_numeric($nxxa) && is_numeric($blocka) && $npaa>=200 && $nxxa>=200 && $npaa!=900 && $npaa!=911) </b></div>
<div><b><br></b></div><div><b> {</b></div><div><br></div><div> echo "Number passed sanitization";</div><div><br></div> }</div><div><br></div><div>What do you think? :-)</div><div><br>
</div>
<div>-Bruce<br><div class="gmail_quote">On Sat, Jul 10, 2010 at 2:17 PM, bruce bruce <span dir="ltr"><<a href="mailto:bruceb444@gmail.com">bruceb444@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Thanks again. Apparently all POST variables come through as strings. The function you pointed out is I think already built in php as <div><span style="font-family:verdana, arial, helvetica, sans-serif;font-size:14px;border-collapse:collapse"><br>
</span></div><div><span style="font-family:verdana, arial, helvetica, sans-serif;font-size:14px;border-collapse:collapse"><span><a href="http://www.php.net/manual/en/function.is-numeric.php" style="color:rgb(0, 0, 153);background-color:transparent;text-decoration:none;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(0, 0, 153)" target="_blank">is_numeric()</a></span>. </span><div>
<font face="verdana, arial, helvetica, sans-serif" size="4"><span style="border-collapse:collapse;font-size:14px"><br></span></font></div><div><a href="http://php.net/manual/en/function.is-int.php" rel="rdfs-seeAlso" style="color:rgb(0, 0, 153);background-color:transparent;text-decoration:none;border-bottom-width:1px;border-bottom-style:solid;border-bottom-color:rgb(0, 0, 153)" target="_blank"></a><font face="verdana, arial, helvetica, sans-serif" size="4"><span style="border-collapse:collapse;font-size:14px"><a href="http://www.php.net/manual/en/function.is-numeric.php" target="_blank">http://www.php.net/manual/en/function.is-numeric.php</a></span></font></div>
<div><font face="verdana, arial, helvetica, sans-serif" size="4"><span style="border-collapse:collapse;font-size:14px"><br></span></font></div><div><font face="verdana, arial, helvetica, sans-serif" size="4"><span style="border-collapse:collapse;font-size:14px"><a href="http://www.php.net/manual/en/function.is-numeric.php" target="_blank"></a>If that runs TRUE and if I keep my >=200 and !=911 or !900 I should be safe from SQL injections. And along with dial-out routes rules, I think I can make this stronger.</span></font></div>
<div><font face="verdana, arial, helvetica, sans-serif" size="4"><span style="border-collapse:collapse;font-size:14px"><br></span></font></div><div><font face="verdana, arial, helvetica, sans-serif" size="4"><span style="border-collapse:collapse;font-size:14px">I have my html/php file set so that the input field only takes 3 digit 3 digit 4 digit (NPA, NXX, Block) so your purposal of: </span></font><span style="font-family:arial, sans-serif;font-size:13px;border-collapse:collapse"><b>'201,0); drop database YOUR_DATABASE'; </b>would fail due to big length and also I tested with inputing letters and my IF function caught it and exited.</span></div>
<div><font face="verdana, arial, helvetica, sans-serif" size="4"><span style="border-collapse:collapse;font-size:14px"><br></span></font></div><div><span style="font-family:verdana, arial, helvetica, sans-serif;font-size:14px;border-collapse:collapse">Further more, everything else (other than phone input fields) is drop down boxes with specific numbers or letters inserted in them. I should be 100% safe with those right?</span></div>
<div><font face="verdana, arial, helvetica, sans-serif" size="4"><span style="border-collapse:collapse;font-size:14px"><br></span></font></div><div><font face="verdana, arial, helvetica, sans-serif" size="4"><span style="border-collapse:collapse;font-size:14px">By using form POST there should be no other loop holes left opened right? It's not like php $_GET so people can't try typing to the browser in this format:</span></font></div>
<div><font face="verdana, arial, helvetica, sans-serif" size="4"><span style="border-collapse:collapse;font-size:14px"><br></span></font></div><div><font face="verdana, arial, helvetica, sans-serif" size="4"><span style="border-collapse:collapse;font-size:14px"><span style="border-collapse:separate;font-family:'courier new';font-size:12px"><a href="http://www.w3schools.com/welcome.php?fname=Peter&age=37" target="_blank">http://www.w3schools.com/welcome.php?fname=Peter&age=37</a></span></span></font></div>
<div><font face="'courier new'" size="3"><span style="font-size:12px"><br></span></font></div><div><font face="'courier new'" size="3"><span style="font-size:12px">Thanks a lot,</span></font></div>
<div><font face="'courier new'" size="3"><span style="font-size:12px">Bruce</span></font></div><div><div></div><div class="h5"><div><br><div class="gmail_quote">On Sat, Jul 10, 2010 at 1:41 PM, Gerald A <span dir="ltr"><<a href="mailto:geraldablists@gmail.com" target="_blank">geraldablists@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Bruce,<br><div style="display:inline"></div><br>
<div class="gmail_quote"><div>On Sat, Jul 10, 2010 at 11:12 AM, bruce bruce <span dir="ltr"><<a href="mailto:bruceb444@gmail.com" target="_blank">bruceb444@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex">
Further to my last post, I added this to santize. I also created a new mysql user with access to only findmefollow portion of the asterisk table for limited access and assigned only two simultaneous connections with only 10 changes queries per hour (as I know that no more queries will be put through probably)<div>
<br></div><div>if ($npaa>=200 && $nxxa>=200 && $npaa!=900 && $npaa!=911)</div><div><br></div><div>Should that suffice against SQL injections? The if condition changes the string to number so it removes the chance of people adding other characters and it also sticks to format NPANXXXX or 2XX2XXXX.</div>
</blockquote></div><div><br>There are two things -- the first is, who call this script? If it's something you control 100%, you can mitigate the risk a bit. I don't really like this tact, because if the script gets repurposed, you end up with something that could be very dangerous.<br>
<br>The second thing is simple -- most people think small here, but you have to think big and know a bit about how PHP works. PHP strings are pretty amazing things, and one of the pesky things is that you can put all kinds of things in it. Now, if that string variable is created as a result of a form input, then that string can be anything. For a moment, think about if it $npaa = '201,0); drop database YOUR_DATABASE'; Now, that is pretty nasty, and it would muck up further SQL injections, but now you get the idea. You should always check to make sure the data you are getting is what you are expecting, and exclude what you aren't.<br>
<br>So, are your tests sufficient? I can't remember off the top of my head if the string -> integer only considers the first number, or it considers the whole string. (PHP usually errs on the side of ease of use, so I think my snippet above would still pass your test). If your expecting only numbers, I'd write a function that ensures that only numbers are parts of the input. (And not just for the 3 above variables).<br>
Really, you should never see $_POST("var") (or any PHP CGI variable) that derives directly from user input.<br><br>It takes a few minutes extra, but it'll save hours of sorting later if you get hit by a SQL injection.<br>
<br>Hope this helps,<br>Gerald<br></div></div>
</blockquote></div><br></div></div></div></div>
</blockquote></div><br></div>