cody4camp Posted December 27, 2009 Posted December 27, 2009 Guys, wouldn't this work to protect sql injections? Ive commented. function checkIncomingData($idata, $minsize, $maxsize) { if ( strlen($idata)<$minsize or strlen($idata)>$maxsize ) { return false; } else { return true; } } //make sure that nothing bad can be entered by the user (-->sql injection attack) function cleanIncomingData($idata) { $cleaned = trim($idata); $cleaned = mysql_real_escape_string($cleaned); return $cleaned; } Quote
Zeggy Posted December 27, 2009 Posted December 27, 2009 Nobody's going to want to bother filling in $minsize and $maxsize for every piece of data, especially when the size could be different on every page load (especially when dealing with user input). Your cleanIncomingData function is a bit more useful. But all it really does is just act as a wrapper to call trim and mres, with a function name which isn't much shorter than mres. Might was well give it a shorter function name so it would actually be more convenient to type. Just a note, it doesn't protect against everything. It can stop sql injections, but there are more ways of exploiting a game through mysql queries, even without ' and " (which is basically what mres escapes, as well as some other characters). For proper protection, you'll need to do real checks, and these checks WILL be different depending on the query and the data. Which means for proper security, every single query you write should also be checked in some way. There's no point relying on 'catch-all' security functions. Of course, creating some shortcut functions like cleanIncomingData would be very helpful. Quote
rulerofzu Posted December 28, 2009 Posted December 28, 2009 This appears every month or so. Can I secure my entire site with this function so I dont have to go through every file and secure it. The quick answer is no. Quote
Zero-Affect Posted December 28, 2009 Posted December 28, 2009 There is actually possible ways of doing it with functions like this but still depends on implementing them in the right places, i use functions to make scripts more secure on my website, so quick way still no but using functions to speed up the time to code yes. Depends on your ability to remember stuff normally, i would just say bin MC and get it over with. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.