This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
Can't use PDO.
I have read many questions here, this is my first time trying to do something for people outside my office, so I need to sanitize data input, researching about it found this function.
function clean_data($input){
$input = trim(htmlentities(strip_tags($input,",")));
if (get_magic_quotes_gpc())
$input = stripslashes($input);
$input = mysql_real_escape_string($input);
return $input;
}
example:
$vartodb = clean_data($_POST['yourformfieldhere']);
Its ok this function to sanitize data?
Not really.
If you are going to put the variable in a database, you would be better off using a prepared statement with bound variables. If you cannot use PDO, you can do that as well with mysqli. If you are really stuck with the mysql_* functions, you would only need mysql_real_escape_string.
If you output to the browser, you only need htmlspecialchars.
In short, there is no universal sanitizing function, you need to prepare / escape / encode your data for the medium you are outputting to.
This is a vast topic - this function is ok but there are much better ways to do it.
Check mysqli_real_escape_string: http://php.net/manual/en/mysqli.real-escape-string.php
Don't forget prepared statements: http://php.net/manual/en/pdo.prepared-statements.php
Also, what if your input is of type integer? You should be typecasting.
Also, what if someone adds extra fields to your web form?
While this function does do some sanitisation it is only the tip of the iceberg, like I said it is a vast topic.
In my opinion this is sloppy code that offers little protection.
Related
This question already has answers here:
The ultimate clean/secure function
(5 answers)
Closed 7 years ago.
I need make security system in php application.
I have problem with that, because this project is very big and haven't any security. In all queries somebody use $_POST variables without e.g mysql_real_escape_string.
Changing each query to PDO or MySQLi will take a lot of time.
I know that this is the best way, but Can I protect code generally - in core of application.
e.g. :
foreach ($_POST as $name => $data)
{
$_POST[$name] = mysql_real_escape_string($data);
}
foreach ($_GET as $name => $data)
{
$_GET[$name] = mysql_real_escape_string($data);
}
I read that this idea is stupid in this
topic
It's a good thing you know mysql is deprecated, but since you still want to use it, I can help you with the way I did mine.
I usually create a function for stripping, trimming and escaping inputs and outputs.
So:
function sanitizer ($input)
{
return mysql_real_escape_string (htmlspecialchars(trim($input)));
}
Then before any input or output I used to pass the fields through the function.
$name = sanitizer($_POST['name']);
And that's all. I hope it helped.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
i want to secure my sql queries without pdo or prepare statement
can this function do ?
function sql_escape($string)
{
$string = iconv(mb_detect_encoding($string),'UTF-8//IGNORE',$string);
$string = addslashes($string);
$string = preg_replace('/[\x00-\x1F\x80-\xFF\0xB4\0x60\0x96\0x97\0x95\0x94\0x93\0x92\0x91\0x84\0x82\0x3B\0x8A]/', '', $string);
$string = addslashes($string);
return $string;
}
No, use the supplied escape function. For mysqli this is mysqli_real_escape_string.
Don't reinvent the wheel, especially if it's a very complex wheel and you're not really sure it works in all conditions.
Like many PHP folks you are confusing escaping with protection from injection. So, someday your site will be hacked and you'll come here ready to learn something useful at last.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to prevent SQL injection in PHP?
I have the following function I call when using variables passed from another page. My question is, can I add urlencode information to this and have a single function I use, or is it best to have separate functions for variables I pass information through the address bar vs. a hidden form field?
I am not using PDO, and I typecast when possible.
function checkInput($value) {
// Stripslashes
if (get_magic_quotes_gpc())
// Stripslashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
Thank you for your assistance!
Mysqli also supports prepared statements. If mysqli isn't available, there's always systems like PEAR DB that offers prepared statements as well.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to prevent SQL Injection in PHP
php get var clear is it good or not plz help me
function Clear($text)
$Var = str_replace("'", "", $text);
$Var = str_replace('"', '', $Var);
$Var = strip_tags($Var);
$Var = htmlentities($Var);
return $Var;
}
$_GET['Var'] = "1='1'";
$Var = Clear($_GET['Var']);
$Query = "SELECT * FROM TABLE_NAME WHERE COL ='{$Var}'";
echo 'Result : '.($Query);
it is for SQL injection, this is sample code i wrote iam using pdo. if i using mysql_real_escape_string it dose not working.
NO. NO. NO
That is not "safe" from attacks.
At a bare minimum use mysql_real_escape_string (which is designed for this). The first version, mysql_escape_string, was actually flawed which is why the "real" version exists.
However, I recommend placeholders as a more universal (and tidier) solution.
See How can I prevent SQL injection in PHP? (which I am voting to close as a dupe, as well). The answers cover PDO and prepared statements, among other things.
Use prepared statements: http://php.net/manual/ru/pdo.prepared-statements.php
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
The ultimate clean/secure function
When it comes to sanitizing POST/GET data could we just program a loop to go through all set variables in a universal php include file and never had to worry about it in code?
I have always done a function called sanitize to do this but this seems to make sense.
You may be better off creating a function in your application that would do it when needed. Then you'll still have the original posted values in case you need them and you can modify the function as needed based on what youre cleansing by passing it options. For example:
function getPostField($field)
{
// all your sanitation and isset/empty checks
$val = sanitize($_REQUEST[$field]);
// ...
return $val;
}
Yes, of course. Some frameworks do this automatically and store the sanitized REQUEST variables in a different array or object, so the original data is still available should it ever be required.