3

I just created a script witch fetches mails from IMAP and stores the title and content in the database.

Of course I don't want to save these information without a check; I'm a bit paranoid but I think it would be possible to do a MySQL-Injection-Attack, if I store the title and content of the mail without checking.

Now my question: How can I store these information? Are there any Joomla-On-Board-Methods to check the content?

Thanks in advance :-)

Improve this question

2 Answers 2

Reset to default
4

Additionally to quoting the data as Anibal already correctly explained, you can use JFilterInput->clean() to clean the various inputs. That's especially helpful if you expect the data to be of a certain format. So if you expect the title of the mail to be a simple string without any fancy stuff in it, you can use

$filter = JFilterInput::getInstance(); $title = $filter->clean($title, 'STRING');

Taken from the docblock from the available filters:

INT: An integer, UINT: An unsigned integer, FLOAT: A floating point number, BOOLEAN: A boolean value, WORD: A string containing A-Z or underscores only (not case sensitive), ALNUM: A string containing A-Z or 0-9 only (not case sensitive), CMD: A string containing A-Z, 0-9, underscores, periods or hyphens (not case sensitive), BASE64: A string containing A-Z, 0-9, forward slashes, plus or equals (not case sensitive), STRING: A fully decoded and sanitised string (default), HTML: A sanitised string, ARRAY: An array, PATH: A sanitised file path, TRIM: A string trimmed from normal, non-breaking and multibyte spaces USERNAME: Do not use (use an application specific filter), RAW: The raw string is returned with no filtering, unknown: An unknown filter will act like STRING. If the input is an array it will return an array of fully decoded and sanitised strings.
Improve this answer
2
  • Edit: One problem remains: $content = $filter->clean($content, 'HTML'); Removes all HTML-formatting. How can I avoid this? Commented Jun 29, 2015 at 15:13
  • By default, it will remove any "unsafe" tags and attributes. The class contains a hardcoded blacklist of tags and attributes for that. See github.com/joomla/joomla-cms/blob/staging/libraries/joomla/…: You can override those when you instantiate your own class. Commented Jun 29, 2015 at 18:01
4

To avoid MySQL-Injection-Attacks, you can have to properly escape and quote special characters. For example:

$query = 'SELECT * FROM #__table WHERE ' . $db->quoteName( $field-name ) . '=' . $db->quote( $field-value );

Reference: Secure coding guidelines

Improve this answer
4
  • Hi Anibal, what's the difference between $db->quote and $db->quotename? I did not get it in the Doc. Edit: In another scenario I'm saving information by storing them to a new table: d.pr/1fsIw Is this a save way? Commented Jun 29, 2015 at 14:50
  • Gah! Is that seriously on the official documentation?!? Trying to stop SQL injection with escaping is a fool's errand, especially in PHP. (Just look at how many times they've gotten it wrong and come up with a new really_escape_SQL_properly_we_mean_it_this_time() method, which eventually is shown to be flawed and gets replaced by another one...) The only right way to do it is with parameters for values and validating table or field names against a whitelist. Commented Jun 29, 2015 at 15:46
  • 1
    Security is achieved only with several layers. Quote for values and QuoteName for table or field names are one of several measures you can take. Commented Jun 29, 2015 at 15:53
  • Despite YourCommonSense/ColShrapnel having a notoriously grumpy disposition on StackOverflow / StackExchange sites AND currently serving a 1-year "cool down" on StackOverflow, his expertise is extensive and trustworthy. One relevant post He has thousands of mysql/sql/injection/security related posts and his own website that provides well-researched, detailed tutorials and explanations across a range of DB interactions and strategies. English isn't his first language so please forgive any typos / imperfect wording. Commented Jun 19, 2018 at 5:37

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.