Share this question

Welcome to Teachnovice Q&A, where you can ask questions and receive answers from other members of the community.

This is a collaboratively edited question and answer site for computer enthusiasts and power users. It's 100% free, no registration required.

What is the use of preg_match('/(benchmark|sleep)/i', $id)

0 like 0 dislike

I today i start to read different articles about SQLi and DoS/DdoS to know how to protect my site and i found this thing:

Link: link to the article

// DB connection
    // $id = (int)$_GET['id'];
    $id = $_GET['id'];

    $result = mysql_query("SELECT id,name,pass FROM users 
    WHERE id = $id")or die("Error");

    if($data = mysql_fetch_array($result))
     $_SESSION['name'] = $data['name'];

    if(preg_match('/(benchmark|sleep)/i', $id))
     exit('attack'); // no timing
asked Feb 27, 2012 by anonymous  
edited Jul 4, 2012 by sarwana

2 Answers

0 like 0 dislike

if(preg_match('/(benchmark|sleep)/i', $id)) checks if the $id matches the stringsbenchmark or sleep (the i stands for case-insensitive).

In the context it's presented I'd say this makes no sense what so ever though... I'd rather do this, and be done with it:

$id = (int) $_GET['id'];
$result = mysql_query('SELECT id,name,pass FROM users WHERE id = '.$id);

Notice I cast the id to an int, so if it's anything else it should just end up being 0, which most likely doesn't match anything since id columns usually starts on 1 (from my experience anyways).

answered Jul 2, 2012 by anonymous  
edited Jul 4, 2012 by sarwana
For the same purpose, I use the intval function: $id = intval($_GET['id']);
It worths mentioning that the regular expression would match benchmark or sleep at any point of the string (it would match "somesleeps", for example)... to match only the exact words, the regex would be /^(benchmark|sleep)$/i
matching exact words makes no sense in this context
makes no sense from the security point of view; I am only clarifying what the answer says, and "teaching" a two cents bit about regular expressions
I don't use any of these "parametrization" stuff like PDO or anything else. I do use the "placeholder" approach. Usually, simple like this: $sql = sprintf('SELECT field FROM table WHERE somefield = "%1$s";', intval($param));, where the "placeholder" can be anything... a comma-separated list of values for an INSERT or IN clause, a string value, "ASC" or "DESC" for an ORDER BY direction... just ANYTHING! [continues...]
0 like 0 dislike
I want to know the use of this

That's quite silly and apparently useless attempt to detect a possible SQL injection which is supposed to run a resource-consuming query.

Also after this the guy show how to bypass it

No wonder.
Once you have a code open to injection, thaere are thousands methods to run it.

The only your concern should be injection in general.

Once you protected - no ddos injection would be possible.

i want to know if PDO is secury?

First, it is not PDO secure, but strict and constant use of prepared statements considered secure.
answered Jul 2, 2012 by anonymous  
edited Jul 2, 2012