Niteshade Posted August 8, 2007 Share Posted August 8, 2007 I see a lot of posts here concerned about sql injection. For the most part you will only fall victim to a sql injection if you allow it to happen. Any input that comes from a client needs to be considered untrusted and tested. This is a simple little function that I have used in a number of my scripts and seems to work well. function cleaninput($data){ if(get_magic_quotes_gpc()) { $r = mysql_real_escape_string(trim(stripslashes($data))); } else { $r = mysql_real_escape_string(trim($data)); } return $r; } To use just make a function call: $input = cleaninput($_POST['user_input']); $input = cleaninput($_GET['user_input'])); or this might work: foreach($_POST as $key=>cleaninput($val)) { ... } I forget where this came from, somewhere on the web but its worth adding to your code library. Quote Link to comment Share on other sites More sharing options...
hamster01 Posted August 24, 2007 Share Posted August 24, 2007 Re: Anti-sql injection function Why would you want to strip backslashes? That doesn't sound right, try this. function Clean($String){ if (ini_get('magic_quotes_gpc') == 'off') $String = addslashes($String); else { $String = htmlenitites($String, ENT_QUOTES); $String = mysql_real_escape_string($String); } return $String } Quote Link to comment Share on other sites More sharing options...
Niteshade Posted September 6, 2007 Author Share Posted September 6, 2007 Re: Anti-sql injection function get_magic_quotes_gpc(); See what it does if enabled. Quote Link to comment Share on other sites More sharing options...
hamster01 Posted September 6, 2007 Share Posted September 6, 2007 Re: Anti-sql injection function Yes I know. What definition do you want? To put it plain and simple to understand, it escapes quotes that may cause conflict with application. Example one, without magic quotes runtime. ERROR: Unclosed quote @ 31 STR: ' SQL: UPDATE `table` SET data='date's' WHERE 1 Example two, with magic quotes runtime. UPDATE `table` SET DATA = 'date\'s' WHERE 1 Quote Link to comment Share on other sites More sharing options...
Absolute Zero Posted September 15, 2007 Share Posted September 15, 2007 Re: Anti-sql injection function In global_func.php I put this: function Clean($String) { if (ini_get('magic_quotes_gpc') == 'off') { $String = addslashes($String); } else { $String = htmlentities($String, ENT_QUOTES); $String = mysql_real_escape_string($String); } return $String } Then for either post or get I would put this: $_GET['EXAMPLE'] = Clean($_GET['EXAMPLE']); $_POST['EXAMPLE'] = Clean($_POST['EXAMPLE']); This has worked so far for me. 8-) Quote Link to comment Share on other sites More sharing options...
Isomerizer Posted September 17, 2007 Share Posted September 17, 2007 Re: Anti-sql injection function Hmm should save me alot of time. Thanks for these great functions. Also Absolute, One small error, You missed an ; after return $string Quote Link to comment Share on other sites More sharing options...
monbster Posted October 20, 2007 Share Posted October 20, 2007 Re: Anti-sql injection function I see a lot of posts here concerned about sql injection. For the most part you will only fall victim to a sql injection if you allow it to happen. Any input that comes from a client needs to be considered untrusted and tested. This is a simple little function that I have used in a number of my scripts and seems to work well. function cleaninput($data){ if(get_magic_quotes_gpc()) { $r = mysql_real_escape_string(trim(stripslashes($data))); } else { $r = mysql_real_escape_string(trim($data)); } return $r; } To use just make a function call: $input = cleaninput($_POST['user_input']); $input = cleaninput($_GET['user_input'])); or this might work: foreach($_POST as $key=>cleaninput($val)) { ... } I forget where this came from, somewhere on the web but its worth adding to your code library. That should work, the trim probably isn't necessary. Also remember that mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE. If you use LIKE to compare an input string, use = instead: SELECT * FROM `BankAccounts` WHERE `baAccountName` = CONVERT( _utf8 'Somename' USING latin1 ) COLLATE latin1_swedish_ci Quote Link to comment Share on other sites More sharing options...
hamster01 Posted October 20, 2007 Share Posted October 20, 2007 Re: Anti-sql injection function Stop trying to be a smarty.. d: % is a valid wildcard, _ isn't. And your examples are pointless, and clearly improper use of them. So you can google, so what. Also, the trim function is needed for extra security, it removes whitespaces. Quote Link to comment Share on other sites More sharing options...
Zeggy Posted November 5, 2007 Share Posted November 5, 2007 Re: Anti-sql injection function You could also use ADOdb, it automatically cleans your SQL queries :) Quote Link to comment Share on other sites More sharing options...
ignite Posted November 6, 2007 Share Posted November 6, 2007 Re: Anti-sql injection function I always get this error Parse error: syntax error, unexpected T_VARIABLE, expecting T_STRING in /home/blobby/public_html/game/global_func.php on line 139 Quote Link to comment Share on other sites More sharing options...
Zeggy Posted November 6, 2007 Share Posted November 6, 2007 Re: Anti-sql injection function You have a spelling mistake :) Make sure you got a $ sign in front of all variables. Quote Link to comment Share on other sites More sharing options...
ignite Posted November 6, 2007 Share Posted November 6, 2007 Re: Anti-sql injection function Nope ive tried it 3 times now Quote Link to comment Share on other sites More sharing options...
Zeggy Posted November 6, 2007 Share Posted November 6, 2007 Re: Anti-sql injection function Check for missing curly braces, mistakes in keywords. There is a typing error, as you posted the error yourself. You just gotta look hard enough :) Try getting a text editor with code highlighting, most typing errors should show up. Quote Link to comment Share on other sites More sharing options...
ignite Posted November 11, 2007 Share Posted November 11, 2007 Re: Anti-sql injection function Am i meant to be puttin the function in global_func or in the page i'm using the function in ? I saw somone post you put it in global_func but just to be sure. I put the function in crystletemple.php then did this. mysql_query("UPDATE users SET crystals=crystals-$cleaninput{$_POST['crystals']},money=money+$iqgain WHERE userid=$userid",$c); is this correct ? Quote Link to comment Share on other sites More sharing options...
Zeggy Posted November 11, 2007 Share Posted November 11, 2007 Re: Anti-sql injection function Take out the dollar sign in front of cleaninput(). It's a function not a variable, and only variables start with a dollar sign. Quote Link to comment Share on other sites More sharing options...
ignite Posted November 11, 2007 Share Posted November 11, 2007 Re: Anti-sql injection function Cheers +1 Quote Link to comment Share on other sites More sharing options...
Michael Evans Posted March 28, 2012 Share Posted March 28, 2012 yeah this is ok i guess lol i always look at the other side of the box tho me so i guess you guys would know better than me lmfao:) good read tho thanks OP Quote Link to comment Share on other sites More sharing options...
Spudinski Posted April 9, 2012 Share Posted April 9, 2012 yeah this is ok i guess lol i always look at the other side of the box tho me so i guess you guys would know better than me lmfao:) good read tho thanks OP magic_quotes runtime has officially been removed since PHP 5.4.0. This script and/or any proposed segments thereof should NOT be used any more. mod lock? Quote Link to comment Share on other sites More sharing options...
Michael Evans Posted April 9, 2012 Share Posted April 9, 2012 lmfao too right its should be used wow people really used this im no coder and even i see the flaws in it. the best way to secure and sql entry is to not be lazy and make sure you are doing it right has at the end of the day all its takes is a bit of time testing to understand what is needed and what is well just a fail. Quote Link to comment Share on other sites More sharing options...
rulerofzu Posted April 9, 2012 Share Posted April 9, 2012 Why are you even discussing it? Quote Link to comment Share on other sites More sharing options...
Michael Evans Posted April 9, 2012 Share Posted April 9, 2012 i think it is interesting, and users could learn from this and see that there is never a quick fix to any issue its also a good read :P just my opinion tho Quote Link to comment Share on other sites More sharing options...
Spudinski Posted April 9, 2012 Share Posted April 9, 2012 i think it is interesting, and users could learn from this and see that there is never a quick fix to any issue its also a good read :P just my opinion tho This in particular is a quick fix. Quote Link to comment Share on other sites More sharing options...
Aventro Posted June 2, 2012 Share Posted June 2, 2012 The only correct way to secure sql statements in php is to use prepared statements in my opinion. It's the best approach. Quote Link to comment Share on other sites More sharing options...
Paul Evans Posted June 5, 2012 Share Posted June 5, 2012 This in particular is a quick fix. Yes this is a quick fix and a idiotic one but simply code up filters per input and stop being lazy. Quote Link to comment Share on other sites More sharing options...
Michael Evans Posted June 5, 2012 Share Posted June 5, 2012 (edited) Lol i was been funny Ehhh did no one catch on to that lmfao :P quick fix = no fix simple i have seen these fail time and time again, just like norton site scanner makes me laugh like a girl site scanner more Like WHAT WE NEVER FOUND IT (they hate me at norton). @SRB where did i say i use programs??? mmmmmm i don't think i did say i did but hey SRB you know best right i forgot your a guru/god (phahahahah) if you dont ike me find go cry at someone else coz you will never know me or what i can do coz your mind is too small to pm me and maybe get to know me :P ill pm you something have a look yeah :P Edited June 5, 2012 by Michael Evans Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.