Jump to content

MySql injection Clean Strings

richiejones24

By richiejones24
in PHP Coding Help

 Share

Recommended Posts

richiejones24 Member

richiejones24

Posted
Posted

I currently use the following function to clean form inputs to prevent MySql injection,

 

Does this function do enough to prevent MySql injection? is there anything i have missed?

 

<?php

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
	$str = @trim($str);
	if(get_magic_quotes_gpc()) {
		$str = stripslashes($str);
	}
	return mysql_real_escape_string($str);
}

?>

Link to comment
https://forums.phpfreaks.com/topic/258604-mysql-injection-clean-strings/
Share on other sites
RussellReal Member

RussellReal

Posted
Posted

CKPD, stripslashes isn't a security measure, it is a function used to remove slashes when magic quotes is set on, if you don't remove the added slashes, then you run mysql_real_escape_string, you will have double slashes on your single quotes, making them still insecure..

 

so in many cases you NEED strip slashes..

 

however, you don't need to clean expected floats and expected integers, type casting does that more efficiently than anything else..

 

for example..

 

$id = (int) $_GET['article_id'];

Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

If you want this code to be portable, leave the check of get_magic_quotes_gpc() and the call to stripslashes() if magic quotes is on in there. The one thing you might add would be a check of the PHP version. If it's 5.4.0 or greater, you can bypass the get_magic_quotes_gpc() check altogether because magic_quotes_gpc() has been removed as of 5.4.0.

cpd Member

cpd

Posted
Posted

If you want this code to be portable, leave the check of get_magic_quotes_gpc() and the call to stripslashes() if magic quotes is on in there. The one thing you might add would be a check of the PHP version. If it's 5.4.0 or greater, you can bypass the get_magic_quotes_gpc() check altogether because magic_quotes_gpc() has been removed as of 5.4.0.

 

Hence the reason why I'm not fond of it as I've known it was going out the door for a while.

 

@RussellReal - I forgot why I ever used to use it but you've hit the nail on the head. Cheers.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.