Jump to content
Sign in to follow this  
Niteshade

Anti-sql injection function

Recommended Posts

I see a lot of posts here concerned about sql injection. For the most part you will only fall victim to a sql injection if you allow it to happen. Any input that comes from a client needs to be considered untrusted and tested. This is a simple little function that I have used in a number of my scripts and seems to work well.

 

function cleaninput($data){
if(get_magic_quotes_gpc()) {
	$r = mysql_real_escape_string(trim(stripslashes($data)));
} else {
	$r = mysql_real_escape_string(trim($data));
}
return $r;
}

 

To use just make a function call:

$input = cleaninput($_POST['user_input']);

$input = cleaninput($_GET['user_input']));

or this might work:

foreach($_POST as $key=>cleaninput($val)) {

...

}

I forget where this came from, somewhere on the web but its worth adding to your code library.

Share this post


Link to post
Share on other sites

Re: Anti-sql injection function

Why would you want to strip backslashes?

That doesn't sound right, try this.

function Clean($String){
if (ini_get('magic_quotes_gpc') == 'off')
$String = addslashes($String); 
else {
$String = htmlenitites($String, ENT_QUOTES);
$String = mysql_real_escape_string($String); }
return $String
}

Share this post


Link to post
Share on other sites

Re: Anti-sql injection function

Yes I know.

What definition do you want?

To put it plain and simple to understand, it escapes quotes that may cause conflict with application.

Example one, without magic quotes runtime.

ERROR: Unclosed quote @ 31

STR: '

SQL: UPDATE `table` SET data='date's' WHERE 1

Example two, with magic quotes runtime.

UPDATE `table` SET DATA = 'date\'s' WHERE 1

Share this post


Link to post
Share on other sites

Re: Anti-sql injection function

In global_func.php I put this:

function Clean($String)
 {
if (ini_get('magic_quotes_gpc') == 'off')
 {
   $String = addslashes($String);
 }
   else 
 {
   $String = htmlentities($String, ENT_QUOTES);
   $String = mysql_real_escape_string($String); 
 }
   return $String
 }

 

Then for either post or get I would put this:

 

$_GET['EXAMPLE'] = Clean($_GET['EXAMPLE']);

 

$_POST['EXAMPLE'] = Clean($_POST['EXAMPLE']);

 

This has worked so far for me. 8-)

Share this post


Link to post
Share on other sites

Re: Anti-sql injection function

Hmm should save me alot of time. Thanks for these great functions.

Also Absolute, One small error, You missed an ; after return $string

Share this post


Link to post
Share on other sites

Re: Anti-sql injection function

 

I see a lot of posts here concerned about sql injection. For the most part you will only fall victim to a sql injection if you allow it to happen. Any input that comes from a client needs to be considered untrusted and tested. This is a simple little function that I have used in a number of my scripts and seems to work well.

 

function cleaninput($data){
if(get_magic_quotes_gpc()) {
	$r = mysql_real_escape_string(trim(stripslashes($data)));
} else {
	$r = mysql_real_escape_string(trim($data));
}
return $r;
}

 

To use just make a function call:

$input = cleaninput($_POST['user_input']);

$input = cleaninput($_GET['user_input']));

or this might work:

foreach($_POST as $key=>cleaninput($val)) {

...

}

I forget where this came from, somewhere on the web but its worth adding to your code library.

 

That should work, the trim probably isn't necessary.

Also remember that mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.

If you use LIKE to compare an input string, use = instead:

SELECT *
FROM `BankAccounts`
WHERE `baAccountName` = CONVERT( _utf8 'Somename'
USING latin1 )
COLLATE latin1_swedish_ci

Share this post


Link to post
Share on other sites

Re: Anti-sql injection function

Stop trying to be a smarty.. d:

% is a valid wildcard, _ isn't.

And your examples are pointless, and clearly improper use of them.

So you can google, so what.

Also, the trim function is needed for extra security, it removes whitespaces.

Share this post


Link to post
Share on other sites

Re: Anti-sql injection function

You could also use ADOdb, it automatically cleans your SQL queries :)

Share this post


Link to post
Share on other sites

Re: Anti-sql injection function

I always get this error

 

Parse error: syntax error, unexpected T_VARIABLE, expecting T_STRING in /home/blobby/public_html/game/global_func.php on line 139

Share this post


Link to post
Share on other sites

Re: Anti-sql injection function

You have a spelling mistake :)

Make sure you got a $ sign in front of all variables.

Share this post


Link to post
Share on other sites

Re: Anti-sql injection function

Check for missing curly braces, mistakes in keywords.

There is a typing error, as you posted the error yourself. You just gotta look hard enough :)

Try getting a text editor with code highlighting, most typing errors should show up.

Share this post


Link to post
Share on other sites

Re: Anti-sql injection function

Am i meant to be puttin the function in global_func or in the page i'm using the function in ? I saw somone post you put it in global_func but just to be sure.

I put the function in crystletemple.php then did this.

mysql_query("UPDATE users SET crystals=crystals-$cleaninput{$_POST['crystals']},money=money+$iqgain WHERE userid=$userid",$c);

is this correct ?

Share this post


Link to post
Share on other sites

Re: Anti-sql injection function

Take out the dollar sign in front of cleaninput(). It's a function not a variable, and only variables start with a dollar sign.

Share this post


Link to post
Share on other sites

yeah this is ok i guess lol i always look at the other side of the box tho me so i guess you guys would know better than me lmfao:) good read tho thanks OP

Share this post


Link to post
Share on other sites
yeah this is ok i guess lol i always look at the other side of the box tho me so i guess you guys would know better than me lmfao:) good read tho thanks OP

magic_quotes runtime has officially been removed since PHP 5.4.0.

This script and/or any proposed segments thereof should NOT be used any more.

mod lock?

Share this post


Link to post
Share on other sites

lmfao too right its should be used wow people really used this im no coder and even i see the flaws in it.

the best way to secure and sql entry is to not be lazy and make sure you are doing it right has at the end of the day all its takes is a bit of time testing to understand what is needed and what is well just a fail.

Share this post


Link to post
Share on other sites

i think it is interesting, and users could learn from this and see that there is never a quick fix to any issue its also a good read :P just my opinion tho

Share this post


Link to post
Share on other sites
i think it is interesting, and users could learn from this and see that there is never a quick fix to any issue its also a good read :P just my opinion tho

This in particular is a quick fix.

Share this post


Link to post
Share on other sites

The only correct way to secure sql statements in php is to use prepared statements in my opinion. It's the best approach.

Share this post


Link to post
Share on other sites
This in particular is a quick fix.

Yes this is a quick fix and a idiotic one but simply code up filters per input and stop being lazy.

Share this post


Link to post
Share on other sites

Lol i was been funny Ehhh did no one catch on to that lmfao :P quick fix = no fix simple i have seen these fail time and time again, just like norton site scanner makes me laugh like a girl site scanner more Like WHAT WE NEVER FOUND IT (they hate me at norton).

 

@SRB where did i say i use programs??? mmmmmm i don't think i did say i did but hey SRB you know best right i forgot your a guru/god (phahahahah) if you dont ike me find go cry at someone else coz you will never know me or what i can do coz your mind is too small to pm me and maybe get to know me :P

ill pm you something have a look yeah :P

Edited by Michael Evans

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...