magcr23 Posted June 26, 2015 Share Posted June 26, 2015 Hi guys, i'm using that against mysql injection: function limpa($data){ if(is_array($data)){die('Warning: trim() expects parameter 1 to be string, array given in /do/u/even/hack/bro?.php on line 69');} $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } But i my textareas are text editor (CKeditor), and if i use: $mensagem = limpa($_POST["corpoMSG"]); It don't insert nothing for the data base. that's the insert code: $de = limpa($_POST["remetenteMSG"]); $para = limpa($_POST["destinatarioMSG"]); $assunto = limpa($_POST["assuntoMSG"]); $mensagem = limpa($_POST["corpoMSG"]); @$data = date('Y-m-d'); $raiz = '0'; $msg = "INSERT INTO mensagens(id, emissor, destinatario, mensagem, assunto, data, raiz, visivelEmissor, visivelDestinatario) VALUES (DEFAULT, '$de', '$para', '$mensagem', '$assunto', '$data', '$raiz', '1', '1' )"; mysqli_query($con, $msg); Does anyone can help me? Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted June 26, 2015 Share Posted June 26, 2015 If nothing is being inserted then there is most likely a problem with the query. if(!mysqli_query($con, $msg)) { trigger_error('Unable to insert message into database: ' . mysqli_error($con)); } Also your lispa function will not be very good for protecting against sql injection. You should use mysqli_real_escape_string or preferably prepared statements for protecting against sql injection when using user input in your queries. Quote Link to comment Share on other sites More sharing options...
magcr23 Posted June 26, 2015 Author Share Posted June 26, 2015 wich one is better? first: function limpa($data, mysqli $db) { if (is_array($data)) { foreach ($data as &$item) $item = makeSafe($item, $db); } else { $data = $db->real_escape_string($data); } return $data; } second: function limpa($data){ if(is_array($data)){die('Warning: trim() expects parameter 1 to be string, array given in /do/u/even/hack/bro?.php on line 69');} $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted June 26, 2015 Share Posted June 26, 2015 The htmlspecialchars() function is not meant to protect you from SQL injections. You'll want to use mysqli_real_escape_string() or prepared statements as suggested by Ch0cu3r. Note that the trim() function should be incorporated into the first option and stripslashes() isn't needed since PHP no longer automatically escapes things like POST and GET variables. Quote Link to comment Share on other sites More sharing options...
magcr23 Posted June 26, 2015 Author Share Posted June 26, 2015 (edited) The htmlspecialchars() function is not meant to protect you from SQL injections. You'll want to use mysqli_real_escape_string() or prepared statements as suggested by Ch0cu3r. Note that the trim() function should be incorporated into the first option and stripslashes() isn't needed since PHP no longer automatically escapes things like POST and GET variables. if i use that: $de = mysqli_real_escape_string($_POST["remetenteMSG"]); $para = mysqli_real_escape_string($_POST["destinatarioMSG"]); $assunto = mysqli_real_escape_string($_POST["assuntoMSG"]); $mensagem = mysqli_real_escape_string($_POST["corpoMSG"]); it would protect? Or should i use "mysqli_real_escape_string" in $mensagem (text editor)? Or should i use both? like: (don't know if this work, just wondering) $de = limpa(mysqli_real_escape_string($_POST["remetenteMSG"])); $para = limpa(mysqli_real_escape_string($_POST["destinatarioMSG"])); $assunto = limpa(mysqli_real_escape_string($_POST["assuntoMSG"])); $mensagem = limpa(mysqli_real_escape_string($_POST["corpoMSG"])); Edited June 26, 2015 by magcr23 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.