Now i'm not here to give you an ultimate global function to stop mysql injection like i been seeing all around this site. No. Im here to give you a hook, not a fish. Rule of thumb, when writing PHP applications, NEVER assume that you can write a function better than php's native functions, e.g i see people make anti mysql injection functions that implements htmlspecialchars and addslashes etc. The mysql_real_escape_string function is the standard way to prevent sql so drop all that 'i can code a function' crap its lame. Reasons why u cant create a beta function? PHP is a community driven software, and thereby u can bet ur buttom, the functions r tested ova n ova n ova n ova again, in different OS, server api's, conditions, encodings etc. Now im not sayin the mres (mysql_real_escape_string) function is fail safe. But its ur best bet, belee dat.
-
Unless your using it before your database connection then its got to be addslashes :P (quick fixes) -
Now usually if ur sum1 like me, u wnt prolly settle for just mres because just like other functions, theres always issues when it boils down to character encoded attacks. Now a chain is only as strong as its weakest link. To really safeguard against sql injections, u must learn these rules.
1. Every string of data YOU DID NOT CREATE is a potential danger.
2. Every body can attempt to inject u, this is the internet ffs.
3. Never try to bend rules for ur users. A '30' character username slot must be limited to 30 chars client-side (use forms maxlength attribute) also 30 chars server-side (using strlen + trim, and throwing errors when exceeded) and finally 30 chars max in DB.
4. When creating tables, make sure use the right column type. Use INT for numbers and booleans, VARCHAR for strings, BLOB for images etc.
5. Type cast your damn variables. Example:
Now u probably wondering what (int) does, well thats short for integer. Php sees that and makes sure only a valid integer cums out ov that, if u pass '?id=a' as the GET value, in the first code, it really searches d database to match an id 'a', but in the second, since 'a' isnt a freaking integer, it replaces 'a' to 0. I dnt knw bout u bt its pretty hard writing injection code thats just numbers.PHP Code:// Less secure
$who = $_GET['id'];
$db = "SELECT *...WHERE id='$who'";
// Even better
function __($str, $htmlenc = FALSE){
// Sanitize the string
// Its recommended you get a gud library
// for this e.g htmlpurifier
$str = ($htmlenc) ? htmlspecialchars($str,ENT_QUOTES) : $str;
return mysql_real_escape_string($str);
}
$who = (int) __($_GET['id']);
Added after 21 minutes:
Using str_replace to remove select, update, delete is plain hilarious, i mean, is you serious o.O
For pete sake, to PHP, select = sel/**/ect so tell me, what good is that? When u str_replace, theres a million ways to beat it so dont bother blacklisting lol.
Added after 4 minutes:PHP Code:/**
* Sanitizes a string to avoid mysql injection
*
* @param string|array value(s) to sanitize
* @param boolean use htmlspecialchars or not
* @return string sanitized value
*/
function __($str = null, $htmlenc = false)
{
// Empty string?
if(empty($str))return null;
// Normal string?
if( ! is_array($str)){
$str = (string) ($htmlenc) ? htmlspecialchars($str, ENT_QUOTES) : $str;
return mysql_real_escape_string($str);
}
// Array of values yay!
else{
$str = (array) ($htmlenc) ? array_map('htmlspecialchars', $str) : $str;
return array_map('mysql_real_escape_string', $str);
}
}
You can add mur functions to dat function. Usage example:
PHP Code:$_POST = __($_POST, true);
// Returns an array
$who = __($_GET['id']);
// Returns string
Last edited by CreativityKills; 21.08.10, 22:45.Comment
Comment