Jump to content

MySql injection Clean Strings


richiejones24

Recommended Posts

I currently use the following function to clean form inputs to prevent MySql injection,

 

Does this function do enough to prevent MySql injection? is there anything i have missed?

 

<?php

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
	$str = @trim($str);
	if(get_magic_quotes_gpc()) {
		$str = stripslashes($str);
	}
	return mysql_real_escape_string($str);
}

?>

Link to comment
Share on other sites

CKPD, stripslashes isn't a security measure, it is a function used to remove slashes when magic quotes is set on, if you don't remove the added slashes, then you run mysql_real_escape_string, you will have double slashes on your single quotes, making them still insecure..

 

so in many cases you NEED strip slashes..

 

however, you don't need to clean expected floats and expected integers, type casting does that more efficiently than anything else..

 

for example..

 

$id = (int) $_GET['article_id'];

Link to comment
Share on other sites

If you want this code to be portable, leave the check of get_magic_quotes_gpc() and the call to stripslashes() if magic quotes is on in there. The one thing you might add would be a check of the PHP version. If it's 5.4.0 or greater, you can bypass the get_magic_quotes_gpc() check altogether because magic_quotes_gpc() has been removed as of 5.4.0.

Link to comment
Share on other sites

If you want this code to be portable, leave the check of get_magic_quotes_gpc() and the call to stripslashes() if magic quotes is on in there. The one thing you might add would be a check of the PHP version. If it's 5.4.0 or greater, you can bypass the get_magic_quotes_gpc() check altogether because magic_quotes_gpc() has been removed as of 5.4.0.

 

Hence the reason why I'm not fond of it as I've known it was going out the door for a while.

 

@RussellReal - I forgot why I ever used to use it but you've hit the nail on the head. Cheers.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.