Jump to content

preventing mysql injection

tidus97

By tidus97
in PHP Coding Help

Recommended Posts

tidus97 Newbie

tidus97

Posted
Posted

would replacing all spaces in inputted text be ample enough to prevent against these attacks? for example,

 

INSERT INTO table (this) VALUE('this')

 

would become

 

INSERT%$space$%INTO%$space$%table%$space$%(this)%$space$%VALUE('this')

 

or something.

 

i know this wont work on all html. something like <h1>this</h1> will still work fine for example, but thats not the point of this part of the cleaning process lol.

 

 

Link to comment
https://forums.phpfreaks.com/topic/141566-preventing-mysql-injection/
Share on other sites
ratcateme Member

ratcateme

Posted
Posted

the best way to prevent mysql injections is by taking all user input and sterilizing it like

$username = mysql_real_escape_string($_POST['username']);

keeps you code easy to read and understand and you can put $username into your queries with no worries about injections

 

Scott.

Prismatic Member

Prismatic

Posted
Posted

i know. but i dont want to use that. it just inserts \'s everywhere. yes, i know this is to make any code that may have been inputed useless, but it sort of sucks when i need to output the inputed text as a comment. im making a sort of shoutbox.

 

you run stripslashes on the output. Really, it's your best bet.

tidus97 Newbie

tidus97

Posted
  • Author
Posted

oh wierd. it works alot better than i thought it would

 

 

 


function cleanupForStorage($x,$exep=null){
$x = mysql_real_escape_string($x);
$x = strip_tags($x,$inExep);
return $x;
}

function cleanupForOutput($x){
$x = stripslashes($x); 
return $x;
}




$string = '<h1>Hello, World!</h1>""""""" do <i>you</i> like\hate slashes? and these "quotes"';

$string=cleanupForStorage($string,'<h1>');
echo "This is for storage: ".$string."<br />";

$string=cleanupForOutput($string);
echo "This is for output: ".$string."<br />";

 

output:

This is for storage: Hello, World!\"\"\"\"\"\"\" do you like\\hate slashes? and these \"quotes\"

This is for output: Hello, World!""""""" do you like\hate slashes? and these "quotes"

 

which is good, but despite keeping the h1 tags, they disappear.

 

 

 

haku Regular Member

haku

Posted
Posted

What do you mean prevent tags? HTML tags? They aren't used in injection attacks. But if you really want to strip them out, you can use striptags(). But you should do this when pulling data out of the database before outputting to the screen, not when putting the data into the database.

tidus97 Newbie

tidus97

Posted
  • Author
Posted

bah thats what happens when u build build a function from cuts and pastes from something else :P

 

works wonderfully now. thx guys, got that all sorted.

 

 

 

 

function cleanupForStorage($x,$inExep=null){
$x = mysql_real_escape_string($x);
$x = strip_tags($x,$inExep);
return $x;
}

function cleanupForOutput($x,$exep=null){
$order   = array('\r\n' , '\n', '\r');
$x = str_replace($order, '<br />', $x);
$x = stripslashes($x); 
return $x;
}





$string = '<b>Hello, World!</b>""""""" do <i>you</i> like\hate slashes? and these "quotes"?
what
about
new
lines';

$string=cleanupForStorage($string,'<b>');
echo "This is for storage: ".$string."<br />";

$string=cleanupForOutput($string);
echo "This is for output: ".$string."<br />";

 

result:

This is for storage: <b>Hello, World!</b>\"\"\"\"\"\"\" do you like\\hate slashes? and these \"quotes\"?\nwhat\nabout\nnew\nlines

This is for output: Hello, World!""""""" do you like\hate slashes? and these "quotes"?

what

about

new

lines

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.