richiejones24 Posted March 9, 2012 Share Posted March 9, 2012 I currently use the following function to clean form inputs to prevent MySql injection, Does this function do enough to prevent MySql injection? is there anything i have missed? <?php //Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } ?> Link to comment https://forums.phpfreaks.com/topic/258604-mysql-injection-clean-strings/ Share on other sites More sharing options...
cpd Posted March 9, 2012 Share Posted March 9, 2012 I personally wouldn't even bother with the stripslashes(). I would always run it through a real escape string function and that's it. Your pretty safe with that as far as I know. Link to comment https://forums.phpfreaks.com/topic/258604-mysql-injection-clean-strings/#findComment-1325628 Share on other sites More sharing options...
RussellReal Posted March 9, 2012 Share Posted March 9, 2012 CKPD, stripslashes isn't a security measure, it is a function used to remove slashes when magic quotes is set on, if you don't remove the added slashes, then you run mysql_real_escape_string, you will have double slashes on your single quotes, making them still insecure.. so in many cases you NEED strip slashes.. however, you don't need to clean expected floats and expected integers, type casting does that more efficiently than anything else.. for example.. $id = (int) $_GET['article_id']; Link to comment https://forums.phpfreaks.com/topic/258604-mysql-injection-clean-strings/#findComment-1325629 Share on other sites More sharing options...
Pikachu2000 Posted March 9, 2012 Share Posted March 9, 2012 If you want this code to be portable, leave the check of get_magic_quotes_gpc() and the call to stripslashes() if magic quotes is on in there. The one thing you might add would be a check of the PHP version. If it's 5.4.0 or greater, you can bypass the get_magic_quotes_gpc() check altogether because magic_quotes_gpc() has been removed as of 5.4.0. Link to comment https://forums.phpfreaks.com/topic/258604-mysql-injection-clean-strings/#findComment-1325631 Share on other sites More sharing options...
cpd Posted March 9, 2012 Share Posted March 9, 2012 If you want this code to be portable, leave the check of get_magic_quotes_gpc() and the call to stripslashes() if magic quotes is on in there. The one thing you might add would be a check of the PHP version. If it's 5.4.0 or greater, you can bypass the get_magic_quotes_gpc() check altogether because magic_quotes_gpc() has been removed as of 5.4.0. Hence the reason why I'm not fond of it as I've known it was going out the door for a while. @RussellReal - I forgot why I ever used to use it but you've hit the nail on the head. Cheers. Link to comment https://forums.phpfreaks.com/topic/258604-mysql-injection-clean-strings/#findComment-1325644 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.