Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Simple best-practice idea to prevent sql injections

Started by tibberous, Feb 16 2013 11:34 PM

Please log in to reply

7 replies to this topic

#1 tibberous

Advanced Member

Members
1,185 posts

Posted 16 February 2013 - 11:34 PM

I normally hate best practices, but this one I came up, so it's less bad.

Basically, you create a few functions like:

function ireq($x){ return intval($_REQUEST[$x]); }
function req($x){ return mysql_real_escape_string(trim($_REQUEST[$x])); }
function unescaped($x){ return $_REQUEST[$x]; }

Next, NEVER use $_REQUEST

Now, to check your site for SQL injection holes, you can just search for $_REQUEST and "unescaped(". You can even use this method to slowly rewrite other peoples code, by replacing each $_REQUEST and making sure the proper characters are escaped.

Has the added benifit of being MUCH fast to type - $i = req('i') vs $i = mysql_real_escape_string($_REQUEST['i']);

TrentTompkins.com Open Source FLV Player

Back to top

#2 requinix

Still alive

Gurus
4,561 posts

LocationWA

Posted 17 February 2013 - 12:04 AM

- filter_var is a more powerful version of the req() and ireq() you made.
- Besides unescaped() you could just as easily search for code using $_REQUEST directly and fix that.

Back to top

#3 KevinM1

Advanced Member

Moderators
4,863 posts

LocationNew Hampshire, USA

Posted 17 February 2013 - 12:09 AM

You shouldn't be using the old mysql_* functions at all. They've been soft deprecated. Instead, use either MySQLi or PDO with prepared statements. That will protect you from injection attacks.

My rarely updated, incredibly rambing, questionably informative blog || Don't go to w3schools || Using 'global' is a sign of doing it wrong

Back to top

#4 tibberous

Advanced Member

Members
1,185 posts

Posted 17 February 2013 - 12:57 AM

- Besides unescaped() you could just as easily search for code using $_REQUEST directly and fix that.

The advantage to using unescaped is that it at least shows you looked and made a consious decision to use unescaped data. Also, if you implement others code, you can replace their $_REQUEST's as needed.

TrentTompkins.com Open Source FLV Player

Back to top

#5 gizmola

Advanced Member

Administrators
3,811 posts

LocationLos Angeles, CA USA

Posted 17 February 2013 - 04:01 AM

You shouldn't be using the old mysql_* functions at all. They've been soft deprecated. Instead, use either MySQLi or PDO with prepared statements. That will protect you from injection attacks.

Agreed 100%

Back to top

#6 tibberous

Advanced Member

Members
1,185 posts

Posted 20 February 2013 - 04:44 AM

They depricate everything =/

TrentTompkins.com Open Source FLV Player

Back to top

#7 Stefany93

Advanced Member

Members
116 posts

LocationBG
Age:19

Posted 21 February 2013 - 12:04 PM

You shouldn't be using the old mysql_* functions at all. They've been soft deprecated. Instead, use either MySQLi or PDO with prepared statements. That will protect you from injection attacks.

I agree, with prepared statements, SQL injections are almost 100% eliminated.

$username = 'Longstreet';
$query = $db->prepare("INSERT INTO names(username) VALUES(:username)");
$query->bindParam(':username', '$username', PDO::PARAM_STR);
$query->execute();

When I first started using PDO, I kept forgetting to execute the query and I can't tell you how many hours I had spend searching why the heck wasn't my code working