SQL Injection is security failure of the most hacked sites...
Here is Anti-MySQL Injection function:
How to call the function:
... or when you "post" the data:
or another one i found
if the topic was [HOW TO] Anti-SQL Injection Function I might have said that it did not depend on any given db, and there is a use for that, especially if you have SQL compliant functions for flat file, that said lets see what we can do to produce an anti-injection function the allows posting of (legal) SQL code in posts, and works irrelevant of SQL interface..
.. after a bit of research I have the following, which covers all eventualities
the echo's are just for testing (eg: $safe_sql = anti_injection($data_to_be_sanitized,true);) , as these may be set differently on your PHP installation (not 110mb)
(NOTE: when copying either of these PHP quoted code functions, change "& #039;" to read "'" - minus space, its a quirk of the PHP code hiliter, it outputs "'" as "'")
that said, for pure speed I would use the following (less the comments)
or as antimatter might prefer
Here is Anti-MySQL Injection function:
Code:
function anti_injection($sql) {
// removes words that contain sql syntax
$sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql);
$sql = trim($sql); // strip whitespace
$sql = strip_tags($sql); // strip HTML and PHP tags
$sql = addslashes($sql); // quote string with slashes
return $sql;
}
Code:
<?php $query = anti_injection($query); ?>
Code:
<?php $query = anti_injection($_POST['something']); ?>
if the topic was [HOW TO] Anti-SQL Injection Function I might have said that it did not depend on any given db, and there is a use for that, especially if you have SQL compliant functions for flat file, that said lets see what we can do to produce an anti-injection function the allows posting of (legal) SQL code in posts, and works irrelevant of SQL interface..
.. after a bit of research I have the following, which covers all eventualities
Code:
<?php
function anti_injection($sql,$debug=false) {
if($sql=='') return;
$single = false; # do single quotes translation
$double = false; # do double quotes translation
// $sql = trim($sql); # strip whitespace *(what if the first line is space indented? ie ascii art)
// if (get_magic_quotes_gpc()) $sql = stripslashes($sql); # if you have problems with slashes
$sql = htmlspecialchars($sql); # for < and >, &, single and double quote characters
if(substr_count($sql,"'")==0) $single = false; else $single = true;
if(substr_count($sql,'"')==0) $double = false; else $double = true;
if($single) $sql = str_replace("'", '& #039;', $sql); # for single quote characters
if($double) $sql = str_replace('"', '"e;', $sql); # for dpuble quote characters
return $sql;
}
?>
(NOTE: when copying either of these PHP quoted code functions, change "& #039;" to read "'" - minus space, its a quirk of the PHP code hiliter, it outputs "'" as "&#039;")
that said, for pure speed I would use the following (less the comments)
Code:
<?php
function anti_injection($sql) {
$sql = htmlspecialchars($sql); # for < and >, &, single and double quote characters
$sql = str_replace("'", '& #039;', $sql); # for single quote characters (just in case)
$sql = str_replace('"', '"e;', $sql); # for dpuble quote characters (just in case)
return $sql;
}
?>
Code:
function sql_ai($sql){return str_replace('"','"e;',str_replace("'", ''',htmlspecialchars($sql)));}





Comment