We Keep Coding

PHP - is mysql_prep deprecated [duplicate]

This question already has answers here:
Why shouldn't I use mysql_* functions in PHP?
(14 answers)
Closed 5 years ago.
I'm working on a login form and am using some code from a tutorial.
Now I don't remember what the mysql_prep was for and whether it's deprecated, since it's not mysqli... I couldn't really make sense of what I googled.
Is it ok to use this or should I use something else or not use it all together?
It looks like this (variables used to update SQL table):
$username = mysql_prep($_POST["username"]);
$password = mysql_prep($_POST["password"]);
$hashed_password = password_hash($_POST["password"], PASSWORD_DEFAULT);

mysql_prep must be some user defined function. It does not exist in the php docs.
http://php.net/manual-lookup.php?pattern=mysql_prep&scope=quickref
Look inside this function in your own code and if it has any references to mysql_ functions then consider it deprecated. All mysql_ functions are deprecated as of PHP 5.5 and are removed in PHP 7.
Use mysqli_ functions or PDO instead.

Php file upload error if file has ' in title [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
As the title says. If a user tries u upload a file with ' in title it throws error(it won't connect to server). Should I replace that sign during upload or something else. It just simple connecting to database
$b = "select * from doc";
$rez1 = mysql_query($b) or die("<span>error</span>");

I'd recommend using escaping methods instead of manipulating the input.
This ist the safest way to prevent SQL Injections. (And never tell the user, the technical details why something doesn't work, except you want some of them to exploit these exceptions)
Also, don't ever use the old and deprecated mysql* functions; learn PDO or mysqli instead.
If you were using mysql, then switch to mysqli and use this: mysqli_real_escape_string()
Otherwise, you could use a regex that repaces ' with \' -
preg_quote()
$string = "Something with 'quotes' ";
$res = preg_quote($string, "'");
echo $res;
will return:
Something with \'quotes\'
Which will cause no problem during the insertion.

Sanitize data PHP function [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
Can't use PDO.
I have read many questions here, this is my first time trying to do something for people outside my office, so I need to sanitize data input, researching about it found this function.
function clean_data($input){
$input = trim(htmlentities(strip_tags($input,",")));
if (get_magic_quotes_gpc())
$input = stripslashes($input);
$input = mysql_real_escape_string($input);
return $input;
}
example:
$vartodb = clean_data($_POST['yourformfieldhere']);
Its ok this function to sanitize data?

Not really.
If you are going to put the variable in a database, you would be better off using a prepared statement with bound variables. If you cannot use PDO, you can do that as well with mysqli. If you are really stuck with the mysql_* functions, you would only need mysql_real_escape_string.
If you output to the browser, you only need htmlspecialchars.
In short, there is no universal sanitizing function, you need to prepare / escape / encode your data for the medium you are outputting to.

This is a vast topic - this function is ok but there are much better ways to do it.
Check mysqli_real_escape_string: http://php.net/manual/en/mysqli.real-escape-string.php
Don't forget prepared statements: http://php.net/manual/en/pdo.prepared-statements.php
Also, what if your input is of type integer? You should be typecasting.
Also, what if someone adds extra fields to your web form?
While this function does do some sanitisation it is only the tip of the iceberg, like I said it is a vast topic.
In my opinion this is sloppy code that offers little protection.

How can I secure my PHP queries against SQL injection without using PDO or prepared statements? [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
i want to secure my sql queries without pdo or prepare statement
can this function do ?
function sql_escape($string)
{
$string = iconv(mb_detect_encoding($string),'UTF-8//IGNORE',$string);
$string = addslashes($string);
$string = preg_replace('/[\x00-\x1F\x80-\xFF\0xB4\0x60\0x96\0x97\0x95\0x94\0x93\0x92\0x91\0x84\0x82\0x3B\0x8A]/', '', $string);
$string = addslashes($string);
return $string;
}

No, use the supplied escape function. For mysqli this is mysqli_real_escape_string.
Don't reinvent the wheel, especially if it's a very complex wheel and you're not really sure it works in all conditions.

Like many PHP folks you are confusing escaping with protection from injection. So, someday your site will be hacked and you'll come here ready to learn something useful at last.

Does this "Clear" function prevent SQL injection? [duplicate]

This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to prevent SQL Injection in PHP
php get var clear is it good or not plz help me
function Clear($text)
$Var = str_replace("'", "", $text);
$Var = str_replace('"', '', $Var);
$Var = strip_tags($Var);
$Var = htmlentities($Var);
return $Var;
}
$_GET['Var'] = "1='1'";
$Var = Clear($_GET['Var']);
$Query = "SELECT * FROM TABLE_NAME WHERE COL ='{$Var}'";
echo 'Result : '.($Query);
it is for SQL injection, this is sample code i wrote iam using pdo. if i using mysql_real_escape_string it dose not working.

NO. NO. NO
That is not "safe" from attacks.
At a bare minimum use mysql_real_escape_string (which is designed for this). The first version, mysql_escape_string, was actually flawed which is why the "real" version exists.
However, I recommend placeholders as a more universal (and tidier) solution.
See How can I prevent SQL injection in PHP? (which I am voting to close as a dupe, as well). The answers cover PDO and prepared statements, among other things.

Use prepared statements: http://php.net/manual/ru/pdo.prepared-statements.php