This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
As the title says. If a user tries u upload a file with ' in title it throws error(it won't connect to server). Should I replace that sign during upload or something else. It just simple connecting to database
$b = "select * from doc";
$rez1 = mysql_query($b) or die("<span>error</span>");
I'd recommend using escaping methods instead of manipulating the input.
This ist the safest way to prevent SQL Injections. (And never tell the user, the technical details why something doesn't work, except you want some of them to exploit these exceptions)
Also, don't ever use the old and deprecated mysql* functions; learn PDO or mysqli instead.
If you were using mysql, then switch to mysqli and use this: mysqli_real_escape_string()
Otherwise, you could use a regex that repaces ' with \' -
preg_quote()
$string = "Something with 'quotes' ";
$res = preg_quote($string, "'");
echo $res;
will return:
Something with \'quotes\'
Which will cause no problem during the insertion.
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
So I've got this problem where I can't seem to insert texts into my database which contain the following character: ' (as in for example: It's). I've had this problem before and I just stripped the symbol, but now I really need a solution and nowhere on the entire web or stack overflow I can't seem to find a decent and clear answer.
This is how my data is displayed:
HTML
<textarea name="text_from_form">
This is the kind of stuff I need and It's awesome (user input example)
</textarea>
PHP
<?php
$my_text = $_POST["text_from_form"};
$my_text_new = htmlentities($my_text);
$sql = "INSERT INTO tableName (text)
VALUES ('$my_text_new')";
?>
THE ERROR
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's awesome ')' at line 2
Thank you in advance for the help!
The htmlentities() function doesn't escape single quotes ' in default flag (ENT_COMPACT), use htmlentities($text, ENT_QUOTES) or function mysql_real_escape_string() or mysqli_real_escape_string() depending on which library you use.
This question already has answers here:
Can I protect against SQL injection by escaping single-quote and surrounding user input with single-quotes?
(19 answers)
Closed 6 years ago.
Context: I'm trying to convince a friend to switch to using parameterized queries to prevent SQL injections and other malicious attempts as that is the standards these days but he has a mentality of "If it's not broken, don't fix it."
Here's the code he currently uses:
function sql_safe($text) {
return str_replace("'", "''", $text);
}
Is there a way for me to break this function to illustrate to him that this approach is not advisable any more?
Additional Info
It's being used as a general means to protect the system from SQL injections so that user inputs are escaped properly. But I feel like his approach could break at certain scenarios which I haven't figured out yet.
Here's your code:
<?php
function sql_safe($text) {
return str_replace("'", "''", $text);
}
echo "SELECT * FROM db WHERE field = '" . sql_safe($argv[1]) . "';\n";
And here's the most obvious way of breaking it:
$ php ./x.php "\' OR TRUE; -- MySQL"
SELECT * FROM db WHERE field = '\'' OR TRUE; -- MySQL';
Stack Overflow has covered the topic of SQL injection extensively over the years. See for example Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes? . There's a neat trick in there that exploits "maximum length of string" to truncate just one of the replacement ''s.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I want to do an INSERT into a MySQL database using:
$sql = "INSERT INTO table (title1) VALUES ('$myVar')";
but the problem is $myVar can contain the single quotes (' symbols, e.g. in "idiot's"). Can somebody tell me how to handle any single quotes in the variable as a letter and not as a piece of code?
(I know there are posts about this in the forum already, but I do not really understand their solutions, so sorry for double posting)
You might be temped to replace each single quote with two of them.
like so
$myvar = "idiot\'s";
But resist the urge and escape it instead:
<?php $var = "Hello !! idiot's";
mysql_real_escape_string($var);?>
Or even better, use PDO
Use mysqli_real_escape_string like this:
$myVar= mysqli_real_escape_string($link,$myVar);
and then your query.
It is advisable to use PDO too!
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
Can't use PDO.
I have read many questions here, this is my first time trying to do something for people outside my office, so I need to sanitize data input, researching about it found this function.
function clean_data($input){
$input = trim(htmlentities(strip_tags($input,",")));
if (get_magic_quotes_gpc())
$input = stripslashes($input);
$input = mysql_real_escape_string($input);
return $input;
}
example:
$vartodb = clean_data($_POST['yourformfieldhere']);
Its ok this function to sanitize data?
Not really.
If you are going to put the variable in a database, you would be better off using a prepared statement with bound variables. If you cannot use PDO, you can do that as well with mysqli. If you are really stuck with the mysql_* functions, you would only need mysql_real_escape_string.
If you output to the browser, you only need htmlspecialchars.
In short, there is no universal sanitizing function, you need to prepare / escape / encode your data for the medium you are outputting to.
This is a vast topic - this function is ok but there are much better ways to do it.
Check mysqli_real_escape_string: http://php.net/manual/en/mysqli.real-escape-string.php
Don't forget prepared statements: http://php.net/manual/en/pdo.prepared-statements.php
Also, what if your input is of type integer? You should be typecasting.
Also, what if someone adds extra fields to your web form?
While this function does do some sanitisation it is only the tip of the iceberg, like I said it is a vast topic.
In my opinion this is sloppy code that offers little protection.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to prevent SQL Injection in PHP
php get var clear is it good or not plz help me
function Clear($text)
$Var = str_replace("'", "", $text);
$Var = str_replace('"', '', $Var);
$Var = strip_tags($Var);
$Var = htmlentities($Var);
return $Var;
}
$_GET['Var'] = "1='1'";
$Var = Clear($_GET['Var']);
$Query = "SELECT * FROM TABLE_NAME WHERE COL ='{$Var}'";
echo 'Result : '.($Query);
it is for SQL injection, this is sample code i wrote iam using pdo. if i using mysql_real_escape_string it dose not working.
NO. NO. NO
That is not "safe" from attacks.
At a bare minimum use mysql_real_escape_string (which is designed for this). The first version, mysql_escape_string, was actually flawed which is why the "real" version exists.
However, I recommend placeholders as a more universal (and tidier) solution.
See How can I prevent SQL injection in PHP? (which I am voting to close as a dupe, as well). The answers cover PDO and prepared statements, among other things.
Use prepared statements: http://php.net/manual/ru/pdo.prepared-statements.php