tibberous Posted February 17, 2013 Share Posted February 17, 2013 I normally hate best practices, but this one I came up, so it's less bad. Basically, you create a few functions like: function ireq($x){ return intval($_REQUEST[$x]); } function req($x){ return mysql_real_escape_string(trim($_REQUEST[$x])); } function unescaped($x){ return $_REQUEST[$x]; } Next, NEVER use $_REQUEST Now, to check your site for SQL injection holes, you can just search for $_REQUEST and "unescaped(". You can even use this method to slowly rewrite other peoples code, by replacing each $_REQUEST and making sure the proper characters are escaped. Has the added benifit of being MUCH fast to type - $i = req('i') vs $i = mysql_real_escape_string($_REQUEST['i']); Quote Link to comment Share on other sites More sharing options...
requinix Posted February 17, 2013 Share Posted February 17, 2013 - filter_var is a more powerful version of the req() and ireq() you made. - Besides unescaped() you could just as easily search for code using $_REQUEST directly and fix that. Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted February 17, 2013 Share Posted February 17, 2013 You shouldn't be using the old mysql_* functions at all. They've been soft deprecated. Instead, use either MySQLi or PDO with prepared statements. That will protect you from injection attacks. Quote Link to comment Share on other sites More sharing options...
tibberous Posted February 17, 2013 Author Share Posted February 17, 2013 - Besides unescaped() you could just as easily search for code using $_REQUEST directly and fix that. The advantage to using unescaped is that it at least shows you looked and made a consious decision to use unescaped data. Also, if you implement others code, you can replace their $_REQUEST's as needed. Quote Link to comment Share on other sites More sharing options...
gizmola Posted February 17, 2013 Share Posted February 17, 2013 You shouldn't be using the old mysql_* functions at all. They've been soft deprecated. Instead, use either MySQLi or PDO with prepared statements. That will protect you from injection attacks. Agreed 100% Quote Link to comment Share on other sites More sharing options...
tibberous Posted February 20, 2013 Author Share Posted February 20, 2013 They depricate everything =/ Quote Link to comment Share on other sites More sharing options...
Stefany93 Posted February 21, 2013 Share Posted February 21, 2013 (edited) You shouldn't be using the old mysql_* functions at all. They've been soft deprecated. Instead, use either MySQLi or PDO with prepared statements. That will protect you from injection attacks. I agree, with prepared statements, SQL injections are almost 100% eliminated. $username = 'Longstreet'; $query = $db->prepare("INSERT INTO names(username) VALUES(:username)"); $query->bindParam(':username', '$username', PDO::PARAM_STR); $query->execute(); When I first started using PDO, I kept forgetting to execute the query and I can't tell you how many hours I had spend searching why the heck wasn't my code working Edited February 21, 2013 by Stefany93 Quote Link to comment Share on other sites More sharing options...
Stefany93 Posted February 21, 2013 Share Posted February 21, 2013 They depricate everything =/ Nope, they deprecate stuff that don't work anymore or are harmful if used... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.