We Keep Coding

Can hacker delete my server files and database where I am using below function? [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
I want to know how to protect my website from hacker. I am a php-mysql developer.
For fetching data from database i always use mysqli.
For prevent my website from sql injection i always use
$db->real_esacpe_string() function of php.
For prevent my website from XSS(Cross site scripting) i used this function
function parsing($text)
{
global $db;
$text=$db->real_escape_string($text);
$text= #trim($text);
$text= strip_tags($text);
if(get_magic_quotes_gpc()) {
$text= stripslashes($text);
}
$text=str_replace('<','',$text);
$text=str_replace('>','',$text);
$text=htmlspecialchars($text, ENT_QUOTES, 'UTF-8');
return($text);
}
$name=parsing($_POST['name']);
Any suggestion from your side is welcomed. Thanks in advance.

With all of does done i don't think a hacker can delete or access your database.
But there are also many other techniques a hacker can use in hacking your website.
Like
DDOS
XSS
SESSION Hyjacking etc
Which there are also different ways of protecting your website against them.

SQL-safe method [duplicate]

This question already has answers here:
Can I protect against SQL injection by escaping single-quote and surrounding user input with single-quotes?
(19 answers)
Closed 6 years ago.
Context: I'm trying to convince a friend to switch to using parameterized queries to prevent SQL injections and other malicious attempts as that is the standards these days but he has a mentality of "If it's not broken, don't fix it."
Here's the code he currently uses:
function sql_safe($text) {
return str_replace("'", "''", $text);
}
Is there a way for me to break this function to illustrate to him that this approach is not advisable any more?
Additional Info
It's being used as a general means to protect the system from SQL injections so that user inputs are escaped properly. But I feel like his approach could break at certain scenarios which I haven't figured out yet.

Here's your code:
<?php
function sql_safe($text) {
return str_replace("'", "''", $text);
}
echo "SELECT * FROM db WHERE field = '" . sql_safe($argv[1]) . "';\n";
And here's the most obvious way of breaking it:
$ php ./x.php "\' OR TRUE; -- MySQL"
SELECT * FROM db WHERE field = '\'' OR TRUE; -- MySQL';
Stack Overflow has covered the topic of SQL injection extensively over the years. See for example Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes? . There's a neat trick in there that exploits "maximum length of string" to truncate just one of the replacement ''s.

How can I secure my PHP queries against SQL injection without using PDO or prepared statements? [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
i want to secure my sql queries without pdo or prepare statement
can this function do ?
function sql_escape($string)
{
$string = iconv(mb_detect_encoding($string),'UTF-8//IGNORE',$string);
$string = addslashes($string);
$string = preg_replace('/[\x00-\x1F\x80-\xFF\0xB4\0x60\0x96\0x97\0x95\0x94\0x93\0x92\0x91\0x84\0x82\0x3B\0x8A]/', '', $string);
$string = addslashes($string);
return $string;
}

No, use the supplied escape function. For mysqli this is mysqli_real_escape_string.
Don't reinvent the wheel, especially if it's a very complex wheel and you're not really sure it works in all conditions.

Like many PHP folks you are confusing escaping with protection from injection. So, someday your site will be hacked and you'll come here ready to learn something useful at last.

SQL injection in PHP, sprintf and numerical values [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
I'm trying to make my queries safe to SQL injection and luckily, the variables that could be targeted are only integers or floats, so I was wondering if, in this case, it is enough to use sprintf() (not even using mysqli_real_escape_string()). I made a few tests, and to the moment it looks good, since it parses any input as a float/integer, so no SQL statement should be executed. Is there any way to hack this? It looks too easy and wonderful to me :D

Why don't you use prepared statements? They give a better protection fron SQL injection plus may improve query performance if they are reused.

$int = 125 . 'asda';
$float = 654.12;
function validateNumber($number) {
if (strpos($number, '.')) {
$number = floatval($number);
} else {
$number = intval($number);
}
return $number;
}
echo validateNumber($int); // 125
echo '<br />';
echo validateNumber($float); // 654.12
Checking if number is int or float and returning their values.

it is enough to use sprintf()
yes.

Does this "Clear" function prevent SQL injection? [duplicate]

This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to prevent SQL Injection in PHP
php get var clear is it good or not plz help me
function Clear($text)
$Var = str_replace("'", "", $text);
$Var = str_replace('"', '', $Var);
$Var = strip_tags($Var);
$Var = htmlentities($Var);
return $Var;
}
$_GET['Var'] = "1='1'";
$Var = Clear($_GET['Var']);
$Query = "SELECT * FROM TABLE_NAME WHERE COL ='{$Var}'";
echo 'Result : '.($Query);
it is for SQL injection, this is sample code i wrote iam using pdo. if i using mysql_real_escape_string it dose not working.

NO. NO. NO
That is not "safe" from attacks.
At a bare minimum use mysql_real_escape_string (which is designed for this). The first version, mysql_escape_string, was actually flawed which is why the "real" version exists.
However, I recommend placeholders as a more universal (and tidier) solution.
See How can I prevent SQL injection in PHP? (which I am voting to close as a dupe, as well). The answers cover PDO and prepared statements, among other things.

Use prepared statements: http://php.net/manual/ru/pdo.prepared-statements.php