PHP protection against mysql injection

Question

PHP protection against mysql injection

I wrote this short function to protect against my_sql injection, because of its importance, I just want to double check with another that this will work as I assume.

foreach($_REQUEST as $key => $value) { $_REQUEST[$key] = stripslashes($value); $_REQUEST[$key] = mysql_real_escape_string($_REQUEST[$key]); }

+6

php mysql sql-injection code-injection

Johnny craig Aug 12 '11 at 16:29

source share

6 answers

If you use PDO (correctly), you do not need to worry about introducing MySQL.

Example:

 /* Execute a prepared statement by passing an array of insert values */ $calories = 150; $colour = 'red'; $sth = $dbh->prepare('SELECT name, colour, calories FROM fruit WHERE calories < :calories AND colour = :colour'); $sth->execute(array(':calories' => $calories, ':colour' => $colour));

Additional Information

+5

Arjan Aug 12 '11 at 16:40

source share

Sounds like a fist approach. You do not need stripslashes unless you use magic_quotes. Type casting can be more elegant if you know you want int , float or bool .

Additional Information:

Type-cast: http://php.net/manual/en/language.types.type-juggling.php

testing magic quotes: http://www.php.net/manual/en/function.get-magic-quotes-gpc.php (Thanks Karolis)

+3

Shad Aug 12 '11 at 16:33

source share

you need to explicitly add the database connection id to

 mysql_real_escape_string(..., $db_connection_identifier);

mysql_real_escape_string

string mysql_real_escape_string (string $ unescaped_string [, resource $ link_identifier])

+1

ajreal Aug 12 '11 at 16:31

source share

If you include an arbitrary $key in your request, you should also avoid them.

+1

Jared ng Aug 12 '11 at 16:32

source share

Thomas's suggestion is good, but you should always keep them in mind, so this can be great:

 if (get_magic_quotes_gpc()) { // Check if magic quotes are enabled foreach($_REQUEST as $key => $value) { $_REQUEST[$key] = stripslashes($value); $_REQUEST[$key] = stripslashes($_REQUEST[$key]) } } else { foreach($_REQUEST as $key => $value) { $_REQUEST[$key] = mysql_real_escape_string($value); $_REQUEST[$key] = mysql_real_escape_string($_REQUEST[$key]); } }

+1

Cracken Jul 04 '12 at 19:48

source share

Tms · Accepted Answer · 2011-08-12T16:38:55+0000

Well, do you use stripslashes() because magic_quotes_gpc set? Thus, this code will only work when magic_quotes_gpc set! I would recommend that you disable it and not use the strislashes () call.

But note that there is nothing like "universal sanitation." Let him just quote, because it's all about him.

When quoting, you always quote text for a specific output , for example:

string value for mysql query
like expression for mysql query
html code
Json
mysql regex
php regex

For each case, you need a different quote, because each use is present in a different syntax context. This also implies that quoting should not be done at the input to PHP, but at a specific output ! What is the reason why functions like magic_quotes_gpc are broken (always make sure they are turned off !!!).

So, what methods can be used for citation in these specific cases? (Feel free to correct me, there may be more modern methods, but they work for me)

mysql_real_escape_string($str)
mysql_real_escape_string(addcslashes($str, "%_"))
htmlspecialchars($str)
json_encode() - only for utf8! I use my function for iso-8859-2
mysql_real_escape_string(addcslashes($str, '^.[]$()|*+?{}')) - you cannot use preg_quote in this case, because the backslash will be reset twice!
preg_quote()

PHP protection against mysql injection

Additional Information:

More articles: