This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
In a login script I found onlline, the creator added this function to prevent SQL-injection attacks.
function Fix($str) {
$str = trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
Since I read that magic_quotes_gpc is (or has been) removed, it feels like this function is a bit outdated. Wouldn't just simply using mysqli_real_escape_string($user_input) add sufficient security?
mysql_real_escape_string is not sufficient in all situations but it is definitely very good friend. The better solution is using Prepared Statements
//example from http://php.net/manual/en/pdo.prepared-statements.php
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->bindParam(1, $name);
$stmt->bindParam(2, $value);
// insert one row
$name = 'one';
$value = 1;
$stmt->execute();
Also, not to forget HTMLPurifier that can be used to discard any invalid/suspicious characters.
mysql_real_escape_string() versus Prepared Statements
mysql_real_escape_string() prone to
the same kind of issues affecting
addslashes().
Answer From Chris Shiflett (Security Expert)
magic_quotes_gpc is deprecated in 5.3 and removed in 5.4. If your code is intended for distribution (i.e. you don't have control over the environment in which it will be used), it is better to account for the possibility that it will be run in 5.3 with magic quotes enabled. If this is internal application and you have control over the environment, and you know magic quotes are disabled, there is no point to check for them.
Related
This question already has answers here:
Can I protect against SQL injection by escaping single-quote and surrounding user input with single-quotes?
(19 answers)
Closed 6 years ago.
Context: I'm trying to convince a friend to switch to using parameterized queries to prevent SQL injections and other malicious attempts as that is the standards these days but he has a mentality of "If it's not broken, don't fix it."
Here's the code he currently uses:
function sql_safe($text) {
return str_replace("'", "''", $text);
}
Is there a way for me to break this function to illustrate to him that this approach is not advisable any more?
Additional Info
It's being used as a general means to protect the system from SQL injections so that user inputs are escaped properly. But I feel like his approach could break at certain scenarios which I haven't figured out yet.
Here's your code:
<?php
function sql_safe($text) {
return str_replace("'", "''", $text);
}
echo "SELECT * FROM db WHERE field = '" . sql_safe($argv[1]) . "';\n";
And here's the most obvious way of breaking it:
$ php ./x.php "\' OR TRUE; -- MySQL"
SELECT * FROM db WHERE field = '\'' OR TRUE; -- MySQL';
Stack Overflow has covered the topic of SQL injection extensively over the years. See for example Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes? . There's a neat trick in there that exploits "maximum length of string" to truncate just one of the replacement ''s.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
i want to secure my sql queries without pdo or prepare statement
can this function do ?
function sql_escape($string)
{
$string = iconv(mb_detect_encoding($string),'UTF-8//IGNORE',$string);
$string = addslashes($string);
$string = preg_replace('/[\x00-\x1F\x80-\xFF\0xB4\0x60\0x96\0x97\0x95\0x94\0x93\0x92\0x91\0x84\0x82\0x3B\0x8A]/', '', $string);
$string = addslashes($string);
return $string;
}
No, use the supplied escape function. For mysqli this is mysqli_real_escape_string.
Don't reinvent the wheel, especially if it's a very complex wheel and you're not really sure it works in all conditions.
Like many PHP folks you are confusing escaping with protection from injection. So, someday your site will be hacked and you'll come here ready to learn something useful at last.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Why shouldn’t I use mysql_* functions in PHP?
hye, Can i use a code in php like this:
$s_username = addslashes(strip_tags($_POST['username']));
$s_password = addslashes(strip_tags($_POST['password']));
before this is use this
$email = mysql_real_escape_string(strip_tags($_POST['email']));
$username = mysql_real_escape_string(strip_tags($_POST['username']));
...because many said that mysql_real_escape_string is dangerous to use?
It's depreciated which means it's not being maintained, so if a security flaw is discovered, PHP developers aren't going to fix it. It's not dangerous though, it just escapes all bad characters that could be used for sql injection.
Use mysqli_* functions or PDO instead. Those actually are being maintained and are way more secure.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to prevent SQL injection in PHP?
I have the following function I call when using variables passed from another page. My question is, can I add urlencode information to this and have a single function I use, or is it best to have separate functions for variables I pass information through the address bar vs. a hidden form field?
I am not using PDO, and I typecast when possible.
function checkInput($value) {
// Stripslashes
if (get_magic_quotes_gpc())
// Stripslashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
Thank you for your assistance!
Mysqli also supports prepared statements. If mysqli isn't available, there's always systems like PEAR DB that offers prepared statements as well.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to prevent SQL Injection in PHP
php get var clear is it good or not plz help me
function Clear($text)
$Var = str_replace("'", "", $text);
$Var = str_replace('"', '', $Var);
$Var = strip_tags($Var);
$Var = htmlentities($Var);
return $Var;
}
$_GET['Var'] = "1='1'";
$Var = Clear($_GET['Var']);
$Query = "SELECT * FROM TABLE_NAME WHERE COL ='{$Var}'";
echo 'Result : '.($Query);
it is for SQL injection, this is sample code i wrote iam using pdo. if i using mysql_real_escape_string it dose not working.
NO. NO. NO
That is not "safe" from attacks.
At a bare minimum use mysql_real_escape_string (which is designed for this). The first version, mysql_escape_string, was actually flawed which is why the "real" version exists.
However, I recommend placeholders as a more universal (and tidier) solution.
See How can I prevent SQL injection in PHP? (which I am voting to close as a dupe, as well). The answers cover PDO and prepared statements, among other things.
Use prepared statements: http://php.net/manual/ru/pdo.prepared-statements.php