tibberous Posted February 17, 2013 Share Posted February 17, 2013 I normally hate best practices, but this one I came up, so it's less bad. Basically, you create a few functions like: function ireq($x){ return intval($_REQUEST[$x]); } function req($x){ return mysql_real_escape_string(trim($_REQUEST[$x])); } function unescaped($x){ return $_REQUEST[$x]; } Next, NEVER use $_REQUEST Now, to check your site for SQL injection holes, you can just search for $_REQUEST and "unescaped(". You can even use this method to slowly rewrite other peoples code, by replacing each $_REQUEST and making sure the proper characters are escaped. Has the added benifit of being MUCH fast to type - $i = req('i') vs $i = mysql_real_escape_string($_REQUEST['i']); Link to comment https://forums.phpfreaks.com/topic/274583-simple-best-practice-idea-to-prevent-sql-injections/ Share on other sites More sharing options...
requinix Posted February 17, 2013 Share Posted February 17, 2013 - filter_var is a more powerful version of the req() and ireq() you made. - Besides unescaped() you could just as easily search for code using $_REQUEST directly and fix that. Link to comment https://forums.phpfreaks.com/topic/274583-simple-best-practice-idea-to-prevent-sql-injections/#findComment-1412879 Share on other sites More sharing options...
KevinM1 Posted February 17, 2013 Share Posted February 17, 2013 You shouldn't be using the old mysql_* functions at all. They've been soft deprecated. Instead, use either MySQLi or PDO with prepared statements. That will protect you from injection attacks. Link to comment https://forums.phpfreaks.com/topic/274583-simple-best-practice-idea-to-prevent-sql-injections/#findComment-1412880 Share on other sites More sharing options...
tibberous Posted February 17, 2013 Author Share Posted February 17, 2013 - Besides unescaped() you could just as easily search for code using $_REQUEST directly and fix that. The advantage to using unescaped is that it at least shows you looked and made a consious decision to use unescaped data. Also, if you implement others code, you can replace their $_REQUEST's as needed. Link to comment https://forums.phpfreaks.com/topic/274583-simple-best-practice-idea-to-prevent-sql-injections/#findComment-1412883 Share on other sites More sharing options...
gizmola Posted February 17, 2013 Share Posted February 17, 2013 You shouldn't be using the old mysql_* functions at all. They've been soft deprecated. Instead, use either MySQLi or PDO with prepared statements. That will protect you from injection attacks. Agreed 100% Link to comment https://forums.phpfreaks.com/topic/274583-simple-best-practice-idea-to-prevent-sql-injections/#findComment-1412900 Share on other sites More sharing options...
tibberous Posted February 20, 2013 Author Share Posted February 20, 2013 They depricate everything =/ Link to comment https://forums.phpfreaks.com/topic/274583-simple-best-practice-idea-to-prevent-sql-injections/#findComment-1413602 Share on other sites More sharing options...
Stefany93 Posted February 21, 2013 Share Posted February 21, 2013 You shouldn't be using the old mysql_* functions at all. They've been soft deprecated. Instead, use either MySQLi or PDO with prepared statements. That will protect you from injection attacks. I agree, with prepared statements, SQL injections are almost 100% eliminated. $username = 'Longstreet'; $query = $db->prepare("INSERT INTO names(username) VALUES(:username)"); $query->bindParam(':username', '$username', PDO::PARAM_STR); $query->execute(); When I first started using PDO, I kept forgetting to execute the query and I can't tell you how many hours I had spend searching why the heck wasn't my code working Link to comment https://forums.phpfreaks.com/topic/274583-simple-best-practice-idea-to-prevent-sql-injections/#findComment-1413922 Share on other sites More sharing options...
Stefany93 Posted February 21, 2013 Share Posted February 21, 2013 They depricate everything =/ Nope, they deprecate stuff that don't work anymore or are harmful if used... Link to comment https://forums.phpfreaks.com/topic/274583-simple-best-practice-idea-to-prevent-sql-injections/#findComment-1413924 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.