jcvenom Posted February 5, 2014 Share Posted February 5, 2014 (edited) This is a simple way to secure your $_GET & $_POST function secure($string){ if(ini_get('magic_quotes_gpc') == 'off'){ $string = addslashes($string) } else { //$string = mysql_real_escape_string($string); /*There is not need to use mysql_real_escape_string as it only should be used for mysql it is there as and example*/ $string = htmlentities($string); //If its a string if(is_string($string)) { $string = strip_tags(trim($string)); } } return $string; } How to use $name = secure($_POST['name'])); if(secure($_POST['example'])){ } if(secure($_GET['example'])){ } Edited February 5, 2014 by jcvenom Quote Link to comment Share on other sites More sharing options...
Guest Posted February 5, 2014 Share Posted February 5, 2014 Add slashes is the worst way, also using mysql_* as an example is also terrible. If your trying to help someone, please do it the right way. Add slashes will.. add slashes when using ' so it will appear \' which is visually horrible. Mysql_* is depreciated. Quote Link to comment Share on other sites More sharing options...
jcvenom Posted February 5, 2014 Author Share Posted February 5, 2014 Add slashes is the worst way, also using mysql_* as an example is also terrible. If your trying to help someone, please do it the right way. Add slashes will.. add slashes when using ' so it will appear \' which is visually horrible. Mysql_* is depreciated. It would be nice to provide an example Quote Link to comment Share on other sites More sharing options...
Dave Posted February 5, 2014 Share Posted February 5, 2014 It would be nice to provide an example If you use something like PDO you can secure the variables when you bind them. MySQLi also offers similar functionality. Considering the MySQL PHP extension is actually deprecated as of version 5.5.0 This extension is deprecated as of PHP 5.5.0, and is not recommended for writing new code as it will be removed in the future. Instead, either the mysqli or PDO_MySQL extension should be used. See also the MySQL API Overview for further help while choosing a MySQL API. http://www.php.net/manual/en/intro.mysql.php Check out these links: http://uk3.php.net/manual/en/intro.pdo.php http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers Quote Link to comment Share on other sites More sharing options...
jcvenom Posted February 5, 2014 Author Share Posted February 5, 2014 If you use something like PDO you can secure the variables when you bind them. MySQLi also offers similar functionality. Considering the MySQL PHP extension is actually deprecated as of version 5.5.0 http://www.php.net/manual/en/intro.mysql.php Check out these links: http://uk3.php.net/manual/en/intro.pdo.php http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers Thank you will have a look Quote Link to comment Share on other sites More sharing options...
Alan Posted February 5, 2014 Share Posted February 5, 2014 @op : Magic quotes itself is deprecated, and there's also a total lack of type checking, not to mention failure to use the function htmlentities correctly - Look at the documentation; essentially it changed how it operated relatively recently in that it now assumes utf-8 whereas previously it assumed iso-8859-1 which can be a nightmare to resolve. Consider the chain of events: user input => assertions for existence => type checking => range checking => database sanitation => output sanitation => browser output. user input can be assumed to be anything from _GET, _POST, _COOKIE, _FILES and to an extent _SERVER and _ENV assertions for existence - don't blindly assume the user has passed data - check it first (see array_key_exists, NOT isset) type checking - both _GET and _POST elements can be arrays, you really need to check they are strings (not integers), but use the shortcut functions ctype_xxx if you can range checking - fairly obvious; pages usually go from 1..numpages, so clamp values or ignore erroneous ones data sanitation : mysql_escape_string() (for the mysql_xxx haters and `but mysql is deprecated` fans, read the C code, the function is mysql_real_escape_string - how you call it from PHP is up to you) output sanitation - you need to prevent things like "<script>alert(1)</script>" getting through - so htmlentities is the final port of call - but use it properly. If your server is correctly setup, stripslashes() should not be needed, addslashes() should never be used unless you want to rot in hell for eternity in real terms: for an int: if (array_key_exists('varname', $_GET) && ctype_digit($_GET['varname'])) { $varname = $_GET['varname']; # range checking if required } else { # do what you will here header('HTTP/1.1 400 Bad Request'); exit; } for a string if (array_key_exists('varname', $_GET) && is_string($_GET['varname'])) { $varname = $_GET['varname']; # range checking if required (possibly in_array() if you are expecting one one of a few values ie "Male", "Female") } else { # do what you will here header('HTTP/1.1 400 Bad Request'); exit; } etc. Quote Link to comment Share on other sites More sharing options...
rockwood Posted February 16, 2014 Share Posted February 16, 2014 (edited) Its just an idea function filter($var) { return preg_replace('/[^a-zA-Z0-9]/', '', $var);//you can arrange replacements as per your requirement } $getstr = filter($_POST['string']); if(strcmp($getstr, $_POST['string']) === 0 ){ //statement here ---- return true; }else{ header('HTTP/1.1 400 Bad Request'); } Edited February 16, 2014 by rockwood Quote Link to comment Share on other sites More sharing options...
Alan Posted February 16, 2014 Share Posted February 16, 2014 @rockwood - consider a faster, and more readable alternative: if (array_key_exists('string', $_POST) && ctype_alnum($_POST['string'])) { // at this stage you have a possibly valid input in $_POST['string'] and while it won't be an empty // string, (ctype_alnum() returns false if passed ""), it may still need to be checked for excessive length. } else { header('HTTP/1.1 400 Bad Request'); // don't forget to exit here, otherwise you will continue execution of the php file. exit; } preg_xxx functions are very useful, but not the fastest around; while the ctype_xxx functions are often direct calls to the underlying standard library (libc) equivalent which are *highly* optimized. Your use of a function to filter out unwanted characters is unnecessary and reduces code legibility considerably. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.