lJesterl Posted October 20, 2009 Share Posted October 20, 2009 im cleaning up an old app that I wrote fixing some of the vulernabilities from attacks. I have roughly 30 files. I want to be able to edit every $_POST and $_GET $value=$_POST['value']; $value=$_GET['value']; my instinct would be to edit every file and do it manually $value=$_POST['value']; $value=mysql_real_escape_string($value) $value=$_GET['value']; $value=mysql_real_escape_string($value) but if there was a faster way it would make my life easier. What I would like to do is to maybe create a function i can put at the top of every page or into my global.php which is included into every page that would do something like this if (get_magic_quotes_gpc()) { $value = stripslashes($value); }else{ $value=mysql_real_escape_string($value) } i dont intend to have magic quotes on, but other people might on there servers. I just need every $_POST or $_GET within my script to be automaticly cleaned or filtered from SQL Injections I saw something a long time ago where it was something they put at the top of there page, this will be completely wrong, but i will give u an example of what it looked like $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); $_REQUEST = array_map('mysql_real_escape_string', $_REQUEST); im not to sure how that goes about effecting everything, where to put it, etc Any ideas or suggestions? Or am I stuck doing it manually. Quote Link to comment Share on other sites More sharing options...
Alex Posted October 20, 2009 Share Posted October 20, 2009 Your example is exactly correct. What that does is loops through all elements of those arrays and performs that on each element. See array_map() Quote Link to comment Share on other sites More sharing options...
lJesterl Posted October 20, 2009 Author Share Posted October 20, 2009 please dont kill me. I found the tutorial I referenced if(!get_magic_quotes_gpc()) { $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } else { $_GET = array_map('stripslashes', $_GET); $_POST = array_map('stripslashes', $_POST); $_COOKIE = array_map('stripslashes', $_COOKIE); $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } From my understanding I could put this in my global.php which is already included into everyfile, or i could make another file say "trimit.php" and include in every file, and as long as it is at the top of the page (after the db connection config file) then it will automaticly clean the data? Quote Link to comment Share on other sites More sharing options...
mikesta707 Posted October 20, 2009 Share Posted October 20, 2009 yes it will. array map takes every single entry in 1 array, and runs all of them through a function. in your case, you run them through the stripslashes or mysql_real_escape_string functions Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.