Thursday, 22 August 2013

Are these 3 input-filter-functions 100% safe against sql injection?

Are these 3 input-filter-functions 100% safe against sql injection?

generally i don't like using sql prepared statements, so i have built 3
functions to check whether an input is safe. i want to know if there is
ANY CHANCE to be hacked.
Function 1: (for username and password inputs. this function does not
accept any symbol or space)
<?php
function safe_input($input) // no symbols
{
// symbols to exclude
$safe[0]="'";
$safe[1]="(";
$safe[2]=")";
$safe[3]=",";
$safe[4]=".";
$safe[5]="-";
$safe[6]="=";
$safe[7]='"';
$safe[8]="+";
$safe[9]="*";
$safe[10]="&";
$safe[11]="^";
$safe[12]="%";
$safe[13]="$";
$safe[14]="#";
$safe[15]="@";
$safe[16]="!";
$safe[17]=" ";
$safe[18]="_";
$safe[19]="[";
$safe[20]="]";
$safe[21]="{";
$safe[22]="}";
$safe[23]=":";
$safe[24]=";";
$safe[25]="<";
$safe[26]=">";
$safe[27]="/";
$safe[28]="?";
$is_safe=true;
for ($i=0; $i<=(count($safe)-1); $i++)
{
$check_count_n=count(explode($safe[$i],$input));
if ($check_count_n>1)
{
$is_safe=false;
}
}
return $is_safe;
}
?>
In the 2nd function, i need to filter id-like inputs. only numbers
<?php
function safe_input_id($input)
{
if (is_numeric($input))
{
return true;
}
else
{
return false;
}
}
?>
And finally the 3rd function is a filter for text-like inputs, like mails.
What i do is declaring a global variable $safeguard which i put between
every char in the input. for example if the input is "HELLO" and the
safeguard is "@r8#" the returned value will be "H@r8#E@r8#L@r8#L@r8#O@r8#"
and will be saved in the database. In order to retrieve the value from the
database, i use the unguard function to remove the safeguard.
<?php
global $safeguard;
$safeguard='8#3r7';
function text_guard($text,$safeguard)
{
$new_text='';
for ($i=0; $i<=strlen($text)-1; $i++)
{
$new_text=$new_text.$text[$i].$safeguard;
}
$new_text=str_replace("'","\'",$new_text);
return $new_text;
}
function text_unguard($text,$safeguard)
{
$new_text='';
$text_array=explode($safeguard,$text);
for ($i=0; $i<=count($text_array)-1; $i++)
{
$new_text=$new_text.$text_array[$i];
}
$new_text=str_replace("\'","'",$new_text);
return $new_text;
}
?>
ARE THESE 3 FUNCTIONS 100% SAFE? Thanks in advance
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)