milesap Posted January 29, 2009 Share Posted January 29, 2009 I was wondering what is the best solution to prevent MySQL injection attacks and Cross Site Scripting. I devised the following which is placed before any PHP code can begin working on submitted variables: if(isset($_GET)) { foreach($_GET as $key => $value) { $_GET[$key] = htmlspecialchars(strip_tags($value)); } } if(isset($_POST)) { foreach($_POST as $key => $value) { $_POST[$key] = htmlspecialchars(strip_tags($value)); } } Anyone have a better solution, or see any problems with using this? Link to comment https://forums.phpfreaks.com/topic/142997-preventing-mysql-injection-attacks-and-cross-site-scripting/ Share on other sites More sharing options...
gevans Posted January 29, 2009 Share Posted January 29, 2009 If you're inserting into a database incorprate mysql_real_escape_string() into your code Link to comment https://forums.phpfreaks.com/topic/142997-preventing-mysql-injection-attacks-and-cross-site-scripting/#findComment-749808 Share on other sites More sharing options...
limitphp Posted January 29, 2009 Share Posted January 29, 2009 I think, as someone mentioned in here before, it is better to "clean" the variable only when you are about to use it and it needs to be cleaned. Don't clean it just to clean it. So, only clean if you are using it in a sql statement, or if you are displaying it in html or a textbox. I use this: <?php function clean($value, $type) { if ($type=="sql") { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } $value = mysql_real_escape_string($value); }elseif ($type=="html") { $value = htmlspecialchars($value, ENT_QUOTES); } return $value; } Link to comment https://forums.phpfreaks.com/topic/142997-preventing-mysql-injection-attacks-and-cross-site-scripting/#findComment-749812 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.