Anti-sql injection function

[Niteshade]

I see a lot of posts here concerned about sql injection. For the most part you will only fall victim to a sql injection if you allow it to happen. Any input that comes from a client needs to be considered untrusted and tested. This is a simple little function that I have used in a number of my scripts and seems to work well.

 

function cleaninput($data){
if(get_magic_quotes_gpc()) {
	$r = mysql_real_escape_string(trim(stripslashes($data)));
} else {
	$r = mysql_real_escape_string(trim($data));
}
return $r;
}

 

To use just make a function call:

$input = cleaninput($_POST['user_input']);

$input = cleaninput($_GET['user_input']));

or this might work:

foreach($_POST as $key=>cleaninput($val)) {

...

}

I forget where this came from, somewhere on the web but its worth adding to your code library.

[hamster01]

Re: Anti-sql injection function

Why would you want to strip backslashes?

That doesn't sound right, try this.

function Clean($String){
if (ini_get('magic_quotes_gpc') == 'off')
$String = addslashes($String); 
else {
$String = htmlenitites($String, ENT_QUOTES);
$String = mysql_real_escape_string($String); }
return $String
}

[Niteshade]

Re: Anti-sql injection function

get_magic_quotes_gpc();

See what it does if enabled.

[hamster01]

Re: Anti-sql injection function

Yes I know.

What definition do you want?

To put it plain and simple to understand, it escapes quotes that may cause conflict with application.

Example one, without magic quotes runtime.

ERROR: Unclosed quote @ 31

STR: '

SQL: UPDATE `table` SET data='date's' WHERE 1

Example two, with magic quotes runtime.

UPDATE `table` SET DATA = 'date\'s' WHERE 1

[Absolute Zero]

Re: Anti-sql injection function

In global_func.php I put this:

function Clean($String)
 {
if (ini_get('magic_quotes_gpc') == 'off')
 {
   $String = addslashes($String);
 }
   else 
 {
   $String = htmlentities($String, ENT_QUOTES);
   $String = mysql_real_escape_string($String); 
 }
   return $String
 }

 

Then for either post or get I would put this:

 

$_GET['EXAMPLE'] = Clean($_GET['EXAMPLE']);

 

$_POST['EXAMPLE'] = Clean($_POST['EXAMPLE']);

 

This has worked so far for me. 8-)

[Isomerizer]

Re: Anti-sql injection function

Hmm should save me alot of time. Thanks for these great functions.

Also Absolute, One small error, You missed an ; after return $string

[monbster]

Re: Anti-sql injection function

 

I see a lot of posts here concerned about sql injection. For the most part you will only fall victim to a sql injection if you allow it to happen. Any input that comes from a client needs to be considered untrusted and tested. This is a simple little function that I have used in a number of my scripts and seems to work well.

 

function cleaninput($data){
if(get_magic_quotes_gpc()) {
	$r = mysql_real_escape_string(trim(stripslashes($data)));
} else {
	$r = mysql_real_escape_string(trim($data));
}
return $r;
}

 

To use just make a function call:

$input = cleaninput($_POST['user_input']);

$input = cleaninput($_GET['user_input']));

or this might work:

foreach($_POST as $key=>cleaninput($val)) {

...

}

I forget where this came from, somewhere on the web but its worth adding to your code library.

 

That should work, the trim probably isn't necessary.

Also remember that mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.

If you use LIKE to compare an input string, use = instead:

SELECT *
FROM `BankAccounts`
WHERE `baAccountName` = CONVERT( _utf8 'Somename'
USING latin1 )
COLLATE latin1_swedish_ci

[hamster01]

Re: Anti-sql injection function

Stop trying to be a smarty.. d:

% is a valid wildcard, _ isn't.

And your examples are pointless, and clearly improper use of them.

So you can google, so what.

Also, the trim function is needed for extra security, it removes whitespaces.

[Zeggy]

Re: Anti-sql injection function

You could also use ADOdb, it automatically cleans your SQL queries :)

[ignite]

Re: Anti-sql injection function

I always get this error

 

Parse error: syntax error, unexpected T_VARIABLE, expecting T_STRING in /home/blobby/public_html/game/global_func.php on line 139

[Zeggy]

Re: Anti-sql injection function

You have a spelling mistake :)

Make sure you got a $ sign in front of all variables.

[ignite]

Re: Anti-sql injection function

Nope ive tried it 3 times now

[Zeggy]

Re: Anti-sql injection function

Check for missing curly braces, mistakes in keywords.

There is a typing error, as you posted the error yourself. You just gotta look hard enough :)

Try getting a text editor with code highlighting, most typing errors should show up.

[ignite]

Re: Anti-sql injection function

Am i meant to be puttin the function in global_func or in the page i'm using the function in ? I saw somone post you put it in global_func but just to be sure.

I put the function in crystletemple.php then did this.

mysql_query("UPDATE users SET crystals=crystals-$cleaninput{$_POST['crystals']},money=money+$iqgain WHERE userid=$userid",$c);

is this correct ?

[Zeggy]

Re: Anti-sql injection function

Take out the dollar sign in front of cleaninput(). It's a function not a variable, and only variables start with a dollar sign.

[ignite]

Re: Anti-sql injection function

Cheers +1

[Michael Evans]

yeah this is ok i guess lol i always look at the other side of the box tho me so i guess you guys would know better than me lmfao:) good read tho thanks OP

[Spudinski]

yeah this is ok i guess lol i always look at the other side of the box tho me so i guess you guys would know better than me lmfao:) good read tho thanks OP

magic_quotes runtime has officially been removed since PHP 5.4.0.

This script and/or any proposed segments thereof should NOT be used any more.

mod lock?

[Michael Evans]

lmfao too right its should be used wow people really used this im no coder and even i see the flaws in it.

the best way to secure and sql entry is to not be lazy and make sure you are doing it right has at the end of the day all its takes is a bit of time testing to understand what is needed and what is well just a fail.

[rulerofzu]

Why are you even discussing it?

[Michael Evans]

i think it is interesting, and users could learn from this and see that there is never a quick fix to any issue its also a good read :P just my opinion tho

[Spudinski]

i think it is interesting, and users could learn from this and see that there is never a quick fix to any issue its also a good read :P just my opinion tho

This in particular is a quick fix.

[Aventro]

The only correct way to secure sql statements in php is to use prepared statements in my opinion. It's the best approach.

[Paul Evans]

This in particular is a quick fix.

Yes this is a quick fix and a idiotic one but simply code up filters per input and stop being lazy.

[Michael Evans]

Lol i was been funny Ehhh did no one catch on to that lmfao :P quick fix = no fix simple i have seen these fail time and time again, just like norton site scanner makes me laugh like a girl site scanner more Like WHAT WE NEVER FOUND IT (they hate me at norton).

 

@SRB where did i say i use programs??? mmmmmm i don't think i did say i did but hey SRB you know best right i forgot your a guru/god (phahahahah) if you dont ike me find go cry at someone else coz you will never know me or what i can do coz your mind is too small to pm me and maybe get to know me :P

ill pm you something have a look yeah :P

Edited June 5, 2012 by Michael Evans