Thomisback Posted April 16, 2008 Share Posted April 16, 2008 Hey, Sorry I could not find the right section & the tutorials section is read-only but I really have to share this piece of code with the rest! Put it on top of every page (or in your config file) and it will block the most SQL injections! <PHP if ( get_magic_quotes_gpc() == TRUE ) { $_GET = array_map("addslashes", $_GET); } if(version_compare(phpversion(),"4.3.0") == "-1") { $_GET = array_map("mysql_escape_string", $_GET); } else { $_GET = array_map("mysql_real_escape_string", $_GET); } if ( get_magic_quotes_gpc() == TRUE ) { $_POST = array_map("addslashes", $_POST); } if(version_compare(phpversion(),"4.3.0") == "-1") { $_POST = array_map("mysql_escape_string", $_POST); } else { $_POST = array_map("mysql_real_escape_string", $_POST); } ?> ~ Thomisback Link to comment https://forums.phpfreaks.com/topic/101386-sql-injection-security/ Share on other sites More sharing options...
Xeoncross Posted April 16, 2008 Share Posted April 16, 2008 You should wait to mysql_real_escape_string() until the data is about to be stored (in MySQL) - because if you are working with XML, SQLite, Askimet, or anything else you will start having problems with pre-slashed code. But you should always stripslashes() <?php if(get_magic_quotes_gpc()) { //Pseudo-code stripslashes($_POST); } ?> Link to comment https://forums.phpfreaks.com/topic/101386-sql-injection-security/#findComment-518565 Share on other sites More sharing options...
Thomisback Posted April 16, 2008 Author Share Posted April 16, 2008 Thanks for your suggestion Link to comment https://forums.phpfreaks.com/topic/101386-sql-injection-security/#findComment-518617 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.