In my opinion SQL injection is an major issue when it comes to web application development. Typically programmers deal with it by escaping strings, while this is probably the best way to get it handled i want to show you different yet effective approach to this problem – converting string to hex value.
Hex value consists of digits and letters from A to F, so this are “normal” chars which can be inserted safely into query, furthermore you can convert any string into hex value. It doesn’t matter what encoding you are going to use, or what kind of text you are converting (plain text, html, xml, etc).
Converting string to hex
Without any further ado here is a script for converting string into HEX. Actually i should credit someone for this code because i am not the one who wrote it in the first place but unfortunately i do not remember where i found it.
function strToHex($string) { $hex=''; for ($i=0; $i < strlen($string); $i++) { $hex .= dechex(ord($string[$i])); } return $hex; }
Converting string to hex
Now converting backwards – hex to string.
function hexToStr($hex) { $string=''; for ($i=0; $i < strlen($hex)-1; $i+=2) { $string .= chr(hexdec($hex[$i].$hex[$i+1])); } return $string; }
Well it all looks good and wonderful, but as always there are no roses without torns. First of all string converted to hex value is twice as long as original string. Second if you are going to use hex data in database then handling data may become a bit complicated.
i have checked it’s really great
…
Second if you are going to use hex data in database then handling data may become a bit complicated.
— Thanks for this. Very important.
Looping character by character is not the most optimal method for performing this function. Thankfully php already provides the unpack/pack functions which does this in a single step:
http://pgregg.com/projects/php/code/hexstr.php
Actually, this is not 100% working. It omits the “0″ before the numbers < 0×10. You will get lots of 0xA, 0xB etc instead of 0x0A or 0x0B. I have put myself a condition and now it really works great.
Thanks for sharing Sergiu, i knew there was something wrong but i couldn’t figure it out
Thanks for the script. I found a little problem with your post, you put “Converting string to hex” on the section of hex to string.
Looks awesome.
Did you update the script above with Sergui’s suggestion?
I fixed the strToHex so that it will add “0″ when required. Also it will do un UpperCase.
Regards,
and Tks for your help.
function strToHex($string)
{
//return bin2hex($string);
$hex=”;
for ($i=0; $i < strlen($string); $i++)
{
if (ord($string[$i])<16)
$hex .= "0";
$hex .= dechex(ord($string[$i]));
}
return strtoupper($hex);
}
hi,
how can i get the string value for this hex value: 0x0C?
the expected output is: \f
this returns empty:
chr(hexdec(’0x0C’));
any idea how to get more than one char value from hex?
62E 635 645 20 35 30 30 2E 30 30 30 20 4B 57 44 20 645 646 20 62D 633 627 628 20 32 35 38 38 627 644 645 62A 628 642 64A 20 31 2C 34 32 31 2E 36 31 32 20 4B 57 44 20 627 644 645 62A 648 641 631 20 31 2C 34 32 31 2E 36 31 32 20 4B 57 44
this function does nt work with this..!!
Yo! Thanks for hexToStr() func!
Suppose alternative might be usefull for smb:
$s = preg_replace(‘#(\w)(\w)#e’, “chr(hexdec(‘$1$2′))”, $hex);
strToHex doesn’t work as expected. Try this instead:
function strToHex($string)
{
$hex=”;
for ($i=0; $i < strlen($string); $i++)
{
$hex .= sprintf("%02x",ord($string[$i]));
}
return $hex;
}