MySQL injection "qq", evil injection, OR

Today I found new for me MySQL injection thats named 'qq' and I was create escape injections functions for evil injection, bad OR and other.

Look at this code I found in query logs:

qq`;SELECT * FROM `revolver__topics`;``

It is fragment of MySQL injection thats not complite logged on perform.

This code availible to execution becuse MySQL(MySQLi, PDO, PostgreSQL, MSSQL) engines in PHP extensions have no 100% safe escaping MySQL queries. After some PHP version update we lost most of important function mysql_real_escape_string() and I have combine some injection filters.

Perhaps, I can wrote some analog function thats can escape seems all injections we known. Code below intended to cleanup variables of MySQL queries inside equally:

    // clenup
    public static function escape( $string ) {
        $safeSQL = htmlspecialchars(addslashes(preg_replace('/[x{10000}-x{10FFFF}]/u', "xEFxBFxBD", ltrim(trim($string), 'qq'))));
        $safeSQL = str_replace('--+', ';', $safeSQL);
        $safeSQL = rtrim($safeSQL, '--');
        $safeSQL = str_replace(['/*',''♯'], ['', ''], $safeSQL);
        return ltrim($safeSQL, 'QQ');

If you know more about MySQL injections and missuses of this code please leave comment bellow.

After some time I will put commit with security patch for DBX and RevolveR CMS.

This function for escaping OR, AND, ON issues in only WHERE statement clause:

    // cleanup inner SQL
    public static function innerEscape( $fragment ) {
        return str_replace(['OR', 'AND', 'ON', "'", ';', 'or', 'and', 'on', '/*', '', '--', '--+'], ['', '', '', '\'', '', '', '', '', '', '', '', ''], $fragment);

Next function intended to block last OR, AND, ON bad clause execution of SQL queries:

    public static function escapeOuter( $string ) {
        return preg_replace(['♯/(OR/)+$♯','♯/(or/)+$♯','♯/(AND/)+$♯','♯/(and/)+$♯','♯/(ON/)+$♯','♯/(on/)+$♯'], ['$1 ;', '$1 ;', '$1 ;', '$1 ;', '$1 ;', '$1 ;'], $string);

Please, optimize escape() regular expressions also. Be carefull with passwords to becuse we can't use some symbols by security reasons. Also be careful with HTML encoding symbols in represented code because after filtering contents not all special symbols are injected in database fileds(replace ♯ with shift + 3 keyboard analog).


Comments …

You can write here as guest with moderation. Please confirm your person if you have an account or register.

#78 by CyberX


Also, we can use same escape function for preventing $_POST variables injections of SQL bad code:

$var = str_ireplace(['/*','♯','--+', '&percnt'], ['', '', '', ''], $var);
$var = htmlspecialchars($var, ENT_IGNORE, 'utf-8');
$var = strip_tags($var);
$var = stripslashes($var);

This function on 100% blocks incoming injections and convert $_POST string into safe characters.

Add a review as guest
Lets draw: