Jump to content
MakeWebGames

Anti-sql injection function


Niteshade

Recommended Posts

I see a lot of posts here concerned about sql injection. For the most part you will only fall victim to a sql injection if you allow it to happen. Any input that comes from a client needs to be considered untrusted and tested. This is a simple little function that I have used in a number of my scripts and seems to work well.

 

function cleaninput($data){
if(get_magic_quotes_gpc()) {
	$r = mysql_real_escape_string(trim(stripslashes($data)));
} else {
	$r = mysql_real_escape_string(trim($data));
}
return $r;
}

 

To use just make a function call:

$input = cleaninput($_POST['user_input']);

$input = cleaninput($_GET['user_input']));

or this might work:

foreach($_POST as $key=>cleaninput($val)) {

...

}

I forget where this came from, somewhere on the web but its worth adding to your code library.

Link to comment
Share on other sites

  • 3 weeks later...

Re: Anti-sql injection function

Why would you want to strip backslashes?

That doesn't sound right, try this.

function Clean($String){
if (ini_get('magic_quotes_gpc') == 'off')
$String = addslashes($String); 
else {
$String = htmlenitites($String, ENT_QUOTES);
$String = mysql_real_escape_string($String); }
return $String
}
Link to comment
Share on other sites

  • 2 weeks later...

Re: Anti-sql injection function

Yes I know.

What definition do you want?

To put it plain and simple to understand, it escapes quotes that may cause conflict with application.

Example one, without magic quotes runtime.

ERROR: Unclosed quote @ 31

STR: '

SQL: UPDATE `table` SET data='date's' WHERE 1

Example two, with magic quotes runtime.

UPDATE `table` SET DATA = 'date\'s' WHERE 1
Link to comment
Share on other sites

  • 2 weeks later...

Re: Anti-sql injection function

In global_func.php I put this:

function Clean($String)
 {
if (ini_get('magic_quotes_gpc') == 'off')
 {
   $String = addslashes($String);
 }
   else 
 {
   $String = htmlentities($String, ENT_QUOTES);
   $String = mysql_real_escape_string($String); 
 }
   return $String
 }

 

Then for either post or get I would put this:

 

$_GET['EXAMPLE'] = Clean($_GET['EXAMPLE']);

 

$_POST['EXAMPLE'] = Clean($_POST['EXAMPLE']);

 

This has worked so far for me. 8-)

Link to comment
Share on other sites

  • 1 month later...

Re: Anti-sql injection function

 

I see a lot of posts here concerned about sql injection. For the most part you will only fall victim to a sql injection if you allow it to happen. Any input that comes from a client needs to be considered untrusted and tested. This is a simple little function that I have used in a number of my scripts and seems to work well.

 

function cleaninput($data){
if(get_magic_quotes_gpc()) {
	$r = mysql_real_escape_string(trim(stripslashes($data)));
} else {
	$r = mysql_real_escape_string(trim($data));
}
return $r;
}

 

To use just make a function call:

$input = cleaninput($_POST['user_input']);

$input = cleaninput($_GET['user_input']));

or this might work:

foreach($_POST as $key=>cleaninput($val)) {

...

}

I forget where this came from, somewhere on the web but its worth adding to your code library.

 

That should work, the trim probably isn't necessary.

Also remember that mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.

If you use LIKE to compare an input string, use = instead:

SELECT *
FROM `BankAccounts`
WHERE `baAccountName` = CONVERT( _utf8 'Somename'
USING latin1 )
COLLATE latin1_swedish_ci
Link to comment
Share on other sites

  • 3 weeks later...

Re: Anti-sql injection function

Check for missing curly braces, mistakes in keywords.

There is a typing error, as you posted the error yourself. You just gotta look hard enough :)

Try getting a text editor with code highlighting, most typing errors should show up.

Link to comment
Share on other sites

Re: Anti-sql injection function

Am i meant to be puttin the function in global_func or in the page i'm using the function in ? I saw somone post you put it in global_func but just to be sure.

I put the function in crystletemple.php then did this.

mysql_query("UPDATE users SET crystals=crystals-$cleaninput{$_POST['crystals']},money=money+$iqgain WHERE userid=$userid",$c);

is this correct ?

Link to comment
Share on other sites

  • 4 years later...
  • 2 weeks later...
yeah this is ok i guess lol i always look at the other side of the box tho me so i guess you guys would know better than me lmfao:) good read tho thanks OP

magic_quotes runtime has officially been removed since PHP 5.4.0.

This script and/or any proposed segments thereof should NOT be used any more.

mod lock?

Link to comment
Share on other sites

lmfao too right its should be used wow people really used this im no coder and even i see the flaws in it.

the best way to secure and sql entry is to not be lazy and make sure you are doing it right has at the end of the day all its takes is a bit of time testing to understand what is needed and what is well just a fail.

Link to comment
Share on other sites

  • 1 month later...

Lol i was been funny Ehhh did no one catch on to that lmfao :P quick fix = no fix simple i have seen these fail time and time again, just like norton site scanner makes me laugh like a girl site scanner more Like WHAT WE NEVER FOUND IT (they hate me at norton).

 

@SRB where did i say i use programs??? mmmmmm i don't think i did say i did but hey SRB you know best right i forgot your a guru/god (phahahahah) if you dont ike me find go cry at someone else coz you will never know me or what i can do coz your mind is too small to pm me and maybe get to know me :P

ill pm you something have a look yeah :P

Edited by Michael Evans
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...