PHP security system [duplicate] - php

This question already has answers here:
The ultimate clean/secure function
(5 answers)
Closed 7 years ago.
I need make security system in php application.
I have problem with that, because this project is very big and haven't any security. In all queries somebody use $_POST variables without e.g mysql_real_escape_string.
Changing each query to PDO or MySQLi will take a lot of time.
I know that this is the best way, but Can I protect code generally - in core of application.
e.g. :
foreach ($_POST as $name => $data)
{
$_POST[$name] = mysql_real_escape_string($data);
}
foreach ($_GET as $name => $data)
{
$_GET[$name] = mysql_real_escape_string($data);
}
I read that this idea is stupid in this
topic

It's a good thing you know mysql is deprecated, but since you still want to use it, I can help you with the way I did mine.
I usually create a function for stripping, trimming and escaping inputs and outputs.
So:
function sanitizer ($input)
{
return mysql_real_escape_string (htmlspecialchars(trim($input)));
}
Then before any input or output I used to pass the fields through the function.
$name = sanitizer($_POST['name']);
And that's all. I hope it helped.

Related

Sanitize data PHP function [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
Can't use PDO.
I have read many questions here, this is my first time trying to do something for people outside my office, so I need to sanitize data input, researching about it found this function.
function clean_data($input){
$input = trim(htmlentities(strip_tags($input,",")));
if (get_magic_quotes_gpc())
$input = stripslashes($input);
$input = mysql_real_escape_string($input);
return $input;
}
example:
$vartodb = clean_data($_POST['yourformfieldhere']);
Its ok this function to sanitize data?
Not really.
If you are going to put the variable in a database, you would be better off using a prepared statement with bound variables. If you cannot use PDO, you can do that as well with mysqli. If you are really stuck with the mysql_* functions, you would only need mysql_real_escape_string.
If you output to the browser, you only need htmlspecialchars.
In short, there is no universal sanitizing function, you need to prepare / escape / encode your data for the medium you are outputting to.
This is a vast topic - this function is ok but there are much better ways to do it.
Check mysqli_real_escape_string: http://php.net/manual/en/mysqli.real-escape-string.php
Don't forget prepared statements: http://php.net/manual/en/pdo.prepared-statements.php
Also, what if your input is of type integer? You should be typecasting.
Also, what if someone adds extra fields to your web form?
While this function does do some sanitisation it is only the tip of the iceberg, like I said it is a vast topic.
In my opinion this is sloppy code that offers little protection.

How can I secure my PHP queries against SQL injection without using PDO or prepared statements? [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
i want to secure my sql queries without pdo or prepare statement
can this function do ?
function sql_escape($string)
{
$string = iconv(mb_detect_encoding($string),'UTF-8//IGNORE',$string);
$string = addslashes($string);
$string = preg_replace('/[\x00-\x1F\x80-\xFF\0xB4\0x60\0x96\0x97\0x95\0x94\0x93\0x92\0x91\0x84\0x82\0x3B\0x8A]/', '', $string);
$string = addslashes($string);
return $string;
}
No, use the supplied escape function. For mysqli this is mysqli_real_escape_string.
Don't reinvent the wheel, especially if it's a very complex wheel and you're not really sure it works in all conditions.
Like many PHP folks you are confusing escaping with protection from injection. So, someday your site will be hacked and you'll come here ready to learn something useful at last.

PHP MySQL Injection Protection [duplicate]

This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to prevent SQL injection in PHP?
I have the following function I call when using variables passed from another page. My question is, can I add urlencode information to this and have a single function I use, or is it best to have separate functions for variables I pass information through the address bar vs. a hidden form field?
I am not using PDO, and I typecast when possible.
function checkInput($value) {
// Stripslashes
if (get_magic_quotes_gpc())
// Stripslashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
Thank you for your assistance!
Mysqli also supports prepared statements. If mysqli isn't available, there's always systems like PEAR DB that offers prepared statements as well.

Sanitizing GET/POST using a loop? [duplicate]

This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
The ultimate clean/secure function
When it comes to sanitizing POST/GET data could we just program a loop to go through all set variables in a universal php include file and never had to worry about it in code?
I have always done a function called sanitize to do this but this seems to make sense.
You may be better off creating a function in your application that would do it when needed. Then you'll still have the original posted values in case you need them and you can modify the function as needed based on what youre cleansing by passing it options. For example:
function getPostField($field)
{
// all your sanitation and isset/empty checks
$val = sanitize($_REQUEST[$field]);
// ...
return $val;
}
Yes, of course. Some frameworks do this automatically and store the sanitized REQUEST variables in a different array or object, so the original data is still available should it ever be required.

Prevent SQL injection in PHP [duplicate]

This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
How to escape strings in MSSQL using PHP?
I am making a system and I need to prevent SQL injection. I'm using PHP and SQL Server 2008 R2. Basically what I'm wondering is if I can just use:
mysql_real_escape_string
or is there a specific one for SQL Server. Any feedback appreciated.
I would suggest start using PDO. this way you could use parametrized query which will take care of almost everything for you including SQL injection plus it supports a very large RDBMS including MSSQL.
Here are some of the topic to get you started.
http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/
http://www.php.net/manual/en/book.pdo.php
I have a calss I built for my project, maybe it can help you out
<?php
class clean
{
public static function stripJS($input)
{
return preg_replace('/<script\b[^>]*>(.*?)<\/script>/is', "", $input);
}
public static function email($input)
{
return clean::stripJS(filter_var($input, FILTER_SANITIZE_EMAIL));
}
public static function noTags($input)
{
return strip_tags(clean::stripJs($input));
}
public static function dbIN($input)
{
return mysql_real_escape_string(self::stripJS($input));
}
public static function dbOUT($input)
{
return stripslashes($input);
}
}
$input = clean::dbIN($input);
?>
You can't use the mysql specific escape function.
Use something that deals in bound parameters.

Categories