This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
I'm trying to make my queries safe to SQL injection and luckily, the variables that could be targeted are only integers or floats, so I was wondering if, in this case, it is enough to use sprintf() (not even using mysqli_real_escape_string()). I made a few tests, and to the moment it looks good, since it parses any input as a float/integer, so no SQL statement should be executed. Is there any way to hack this? It looks too easy and wonderful to me :D
Why don't you use prepared statements? They give a better protection fron SQL injection plus may improve query performance if they are reused.
$int = 125 . 'asda';
$float = 654.12;
function validateNumber($number) {
if (strpos($number, '.')) {
$number = floatval($number);
} else {
$number = intval($number);
}
return $number;
}
echo validateNumber($int); // 125
echo '<br />';
echo validateNumber($float); // 654.12
Checking if number is int or float and returning their values.
it is enough to use sprintf()
yes.
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
Can't use PDO.
I have read many questions here, this is my first time trying to do something for people outside my office, so I need to sanitize data input, researching about it found this function.
function clean_data($input){
$input = trim(htmlentities(strip_tags($input,",")));
if (get_magic_quotes_gpc())
$input = stripslashes($input);
$input = mysql_real_escape_string($input);
return $input;
}
example:
$vartodb = clean_data($_POST['yourformfieldhere']);
Its ok this function to sanitize data?
Not really.
If you are going to put the variable in a database, you would be better off using a prepared statement with bound variables. If you cannot use PDO, you can do that as well with mysqli. If you are really stuck with the mysql_* functions, you would only need mysql_real_escape_string.
If you output to the browser, you only need htmlspecialchars.
In short, there is no universal sanitizing function, you need to prepare / escape / encode your data for the medium you are outputting to.
This is a vast topic - this function is ok but there are much better ways to do it.
Check mysqli_real_escape_string: http://php.net/manual/en/mysqli.real-escape-string.php
Don't forget prepared statements: http://php.net/manual/en/pdo.prepared-statements.php
Also, what if your input is of type integer? You should be typecasting.
Also, what if someone adds extra fields to your web form?
While this function does do some sanitisation it is only the tip of the iceberg, like I said it is a vast topic.
In my opinion this is sloppy code that offers little protection.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
i want to secure my sql queries without pdo or prepare statement
can this function do ?
function sql_escape($string)
{
$string = iconv(mb_detect_encoding($string),'UTF-8//IGNORE',$string);
$string = addslashes($string);
$string = preg_replace('/[\x00-\x1F\x80-\xFF\0xB4\0x60\0x96\0x97\0x95\0x94\0x93\0x92\0x91\0x84\0x82\0x3B\0x8A]/', '', $string);
$string = addslashes($string);
return $string;
}
No, use the supplied escape function. For mysqli this is mysqli_real_escape_string.
Don't reinvent the wheel, especially if it's a very complex wheel and you're not really sure it works in all conditions.
Like many PHP folks you are confusing escaping with protection from injection. So, someday your site will be hacked and you'll come here ready to learn something useful at last.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to prevent SQL injection in PHP?
I have the following function I call when using variables passed from another page. My question is, can I add urlencode information to this and have a single function I use, or is it best to have separate functions for variables I pass information through the address bar vs. a hidden form field?
I am not using PDO, and I typecast when possible.
function checkInput($value) {
// Stripslashes
if (get_magic_quotes_gpc())
// Stripslashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
Thank you for your assistance!
Mysqli also supports prepared statements. If mysqli isn't available, there's always systems like PEAR DB that offers prepared statements as well.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to prevent SQL Injection in PHP
php get var clear is it good or not plz help me
function Clear($text)
$Var = str_replace("'", "", $text);
$Var = str_replace('"', '', $Var);
$Var = strip_tags($Var);
$Var = htmlentities($Var);
return $Var;
}
$_GET['Var'] = "1='1'";
$Var = Clear($_GET['Var']);
$Query = "SELECT * FROM TABLE_NAME WHERE COL ='{$Var}'";
echo 'Result : '.($Query);
it is for SQL injection, this is sample code i wrote iam using pdo. if i using mysql_real_escape_string it dose not working.
NO. NO. NO
That is not "safe" from attacks.
At a bare minimum use mysql_real_escape_string (which is designed for this). The first version, mysql_escape_string, was actually flawed which is why the "real" version exists.
However, I recommend placeholders as a more universal (and tidier) solution.
See How can I prevent SQL injection in PHP? (which I am voting to close as a dupe, as well). The answers cover PDO and prepared statements, among other things.
Use prepared statements: http://php.net/manual/ru/pdo.prepared-statements.php
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to stop SQL Injection in PHP
The ultimate clean/secure function
My website was attacked via sql injection and now I need to improve it. I'm creating a function in PHP escape(), that returns the escaped version of a string. I'm not a hacker so please help me to improve my escape function. Here is the current version:
function escape($string){
$string = stripslashes($string);
$string = mysql_real_escape_string($string);
$string = strip_tags($string);
$string = str_replace('%','',$string);
$string = str_replace('_','',$string);
return $string;
}
My question is: is this hackable, if it is than how to fix it? Thanks!
this function has absolutely nothing to do with safety.
it's barely protects you from some kinds of XSS injections. that's all.