tags:

views:

283

answers:

4
Q: 

Check SQL statements within PHP for bad words such as DROP or DELETE

Hi!

I would like to allow some admins to manually enter SQL statements in a textfield (to get statistic data etc.). On the database layer, I protected the data by creating a user which can only select but not update/delete etc.

I would like to add a second security by checking the inserted SQL for bad words such as DROP, DELETE or UPDATE. I figured out how to do that with preg_match but I would love to have a smart script which can distiguish between a DROP and something like WHERE name = 'DROP 1'

EDIT: I would like to log if an admin tries to uses such statements. That's why I need this second level security check. This is for clarification.

Does anyone know a code snipped which fits this example?

Thanks!!

+10  A: 

New Response

Since you updated your question to clarify what you're looking for, I wanted to offer a different solution. Don't worry about what the user is submitting as a query, again, MySQL will spit back an error if they don't have sufficient privs to do something.

Capture that error with mysql_error(), and the error number with mysql_errno(). If the error message says "DROP command denied..." or the error number is 1142 then you know they tried being naughty. Looking for terms within this error is better than looking for terms in their query, as you rightly pointed out that their query can legitimately use the bad words.

Original Response

If your user can only SELECT, then they cannot DROP or DELETE. Looking for these words doesn't add any more security to the mix since the database will reject any queries that aren't explicitly allowed for that given user.

Jonathan Sampson  2010-01-25 22:18:35
Good point about the basic question of whether a PHP check would even be needed to provide the security Marc wants.
jball  2010-01-25 22:22:26
Jonathan. Your solution does not at all solve my problem. I would like to check for those words and log if someone tried to do that (more security). So please do not think about the security issue.. my question was about the preg_match algorithm...thanks
Marc  2010-01-25 23:05:58
@Marc, You should update your question to clarify that you are looking for users attempting malicious actions, and not looking for a second level of security for the SQL statements. Based on the current wording of your question, Jonathan's answer is correct.
jball  2010-01-25 23:22:17
Ok. I edited the question. Did not know that stackoverflow has such a justify-your-question mindset..
Marc  2010-01-25 23:32:05
@Marc, it's not justification, it's clarification. Most SO users, when they see someone about to do something "wrong" (for lack of a better word), will try to steer them in the right direction. That's why it's important to clearly post what your intended goal is.
Brandon  2010-01-25 23:41:57
It's more of a "clarify your question so that you can get useful answers" mindset. Most people would be happy to give you the answers you want if you ask the question in a way that makes sense to everyone.
jball  2010-01-25 23:42:18
A: 

Why don't you just create the commands for the stats data and allow the admins to call those commands? Isn't that easier?

Not saying the admins will do harm intentionally but it could happen!

AntonioCS  2010-01-25 22:22:49
+1  A: 

This is definitely the wrong place to put this level of security in. So long as you have set the database up so the only have SELECT privileges then they cannot change the data in any way. However is you give them any privileges that can change data then no amount of semantic checking on SQL statements will give you security.

Cruachan  2010-01-25 22:26:56
+3  A: 

I wouldn't use regular expressions for something as complex as SQL.

I'd start by looking at what SQL parsers are available for PHP, then use one of those to parse and analyze the SQL statements being used.

Try one of these:

http://pear.php.net/package/SQL_Parser

http://sourceforge.net/projects/osqlp/

pib  2010-01-26 01:31:08
thanks pib! that was what I was looking for!
Marc  2010-01-26 21:41:40

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases