Hi Bruce,<br><div style="visibility: hidden; display: inline;" id="avg_ls_inline_popup"></div><style type="text/css">#avg_ls_inline_popup { position:absolute; z-index:9999; padding: 0px 0px; margin-left: 0px; margin-top: 0px; width: 240px; overflow: hidden; word-wrap: break-word; color: black; font-size: 10px; text-align: left; line-height: 13px;}</style><br>
<div class="gmail_quote">On Sat, Jul 10, 2010 at 11:12 AM, bruce bruce <span dir="ltr"><<a href="mailto:bruceb444@gmail.com">bruceb444@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Further to my last post, I added this to santize. I also created a new mysql user with access to only findmefollow portion of the asterisk table for limited access and assigned only two simultaneous connections with only 10 changes queries per hour (as I know that no more queries will be put through probably)<div>
<br></div><div>if ($npaa>=200 && $nxxa>=200 && $npaa!=900 && $npaa!=911)</div><div><br></div><div>Should that suffice against SQL injections? The if condition changes the string to number so it removes the chance of people adding other characters and it also sticks to format NPANXXXX or 2XX2XXXX.</div>
</blockquote><div><br>There are two things -- the first is, who call this script? If it's something you control 100%, you can mitigate the risk a bit. I don't really like this tact, because if the script gets repurposed, you end up with something that could be very dangerous.<br>
<br>The second thing is simple -- most people think small here, but you have to think big and know a bit about how PHP works. PHP strings are pretty amazing things, and one of the pesky things is that you can put all kinds of things in it. Now, if that string variable is created as a result of a form input, then that string can be anything. For a moment, think about if it $npaa = '201,0); drop database YOUR_DATABASE'; Now, that is pretty nasty, and it would muck up further SQL injections, but now you get the idea. You should always check to make sure the data you are getting is what you are expecting, and exclude what you aren't.<br>
<br>So, are your tests sufficient? I can't remember off the top of my head if the string -> integer only considers the first number, or it considers the whole string. (PHP usually errs on the side of ease of use, so I think my snippet above would still pass your test). If your expecting only numbers, I'd write a function that ensures that only numbers are parts of the input. (And not just for the 3 above variables).<br>
Really, you should never see $_POST("var") (or any PHP CGI variable) that derives directly from user input.<br><br>It takes a few minutes extra, but it'll save hours of sorting later if you get hit by a SQL injection.<br>
<br>Hope this helps,<br>Gerald<br></div></div>