specialchars

[magcr23]

Hi guys, i'm using that against mysql injection:

function limpa($data){
    if(is_array($data)){die('Warning: trim() expects parameter 1 to be string, array given in /do/u/even/hack/bro?.php on line 69');}
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}

But i my textareas are text editor (CKeditor), and if i use:

$mensagem = limpa($_POST["corpoMSG"]);

It don't insert nothing for the data base.

 

that's the insert code:

$de = limpa($_POST["remetenteMSG"]);
$para = limpa($_POST["destinatarioMSG"]);
$assunto = limpa($_POST["assuntoMSG"]);
$mensagem = limpa($_POST["corpoMSG"]);
@$data = date('Y-m-d');
$raiz = '0';
	
$msg = "INSERT INTO mensagens(id, emissor, destinatario, mensagem, assunto, data, raiz, visivelEmissor, visivelDestinatario) VALUES (DEFAULT, '$de', '$para', '$mensagem', '$assunto', '$data', '$raiz', '1', '1' )";

mysqli_query($con, $msg);

Does anyone can help me?

[Ch0cu3r]

If nothing is being inserted then there is  most likely a problem with the query.

if(!mysqli_query($con, $msg))
{
    trigger_error('Unable to insert message into database: ' . mysqli_error($con));
}

Also your lispa function will not be very good for protecting against sql injection. You should use mysqli_real_escape_string or preferably prepared statements for protecting against sql injection when using user input in your queries.

[magcr23]

wich one is better?

 

first:

function limpa($data, mysqli $db) { 
    if (is_array($data)) { 
        foreach ($data as &$item) $item = makeSafe($item, $db); 
    } else { 
        $data = $db->real_escape_string($data); 
    } 
    return $data; 
}

second:

function limpa($data){
    if(is_array($data)){die('Warning: trim() expects parameter 1 to be string, array given in /do/u/even/hack/bro?.php on line 69');}
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}

[cyberRobot]

The htmlspecialchars() function is not meant to protect you from SQL injections. You'll want to use mysqli_real_escape_string() or prepared statements as suggested by Ch0cu3r.

 

Note that the trim() function should be incorporated into the first option and stripslashes() isn't needed since PHP no longer automatically escapes things like POST and GET variables.

[magcr23]

The htmlspecialchars() function is not meant to protect you from SQL injections. You'll want to use mysqli_real_escape_string() or prepared statements as suggested by Ch0cu3r.

 

Note that the trim() function should be incorporated into the first option and stripslashes() isn't needed since PHP no longer automatically escapes things like POST and GET variables.

if i use that:

$de = mysqli_real_escape_string($_POST["remetenteMSG"]);
$para = mysqli_real_escape_string($_POST["destinatarioMSG"]);
$assunto = mysqli_real_escape_string($_POST["assuntoMSG"]);
$mensagem = mysqli_real_escape_string($_POST["corpoMSG"]);

it would protect? 

Or should i use "mysqli_real_escape_string" in $mensagem (text editor)?

 

Or should i use both? like: (don't know if this work, just wondering)

$de = limpa(mysqli_real_escape_string($_POST["remetenteMSG"]));
$para = limpa(mysqli_real_escape_string($_POST["destinatarioMSG"]));
$assunto = limpa(mysqli_real_escape_string($_POST["assuntoMSG"]));
$mensagem = limpa(mysqli_real_escape_string($_POST["corpoMSG"]));

Edited June 26, 2015 by magcr23