Jump to content

specialchars


magcr23

Recommended Posts

Hi guys, i'm using that against mysql injection:

function limpa($data){
    if(is_array($data)){die('Warning: trim() expects parameter 1 to be string, array given in /do/u/even/hack/bro?.php on line 69');}
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}

But i my textareas are text editor (CKeditor), and if i use:

$mensagem = limpa($_POST["corpoMSG"]);

It don't insert nothing for the data base.

 

that's the insert code:

$de = limpa($_POST["remetenteMSG"]);
$para = limpa($_POST["destinatarioMSG"]);
$assunto = limpa($_POST["assuntoMSG"]);
$mensagem = limpa($_POST["corpoMSG"]);
@$data = date('Y-m-d');
$raiz = '0';
	
$msg = "INSERT INTO mensagens(id, emissor, destinatario, mensagem, assunto, data, raiz, visivelEmissor, visivelDestinatario) VALUES (DEFAULT, '$de', '$para', '$mensagem', '$assunto', '$data', '$raiz', '1', '1' )";

mysqli_query($con, $msg);

Does anyone can help me?

Link to comment
https://forums.phpfreaks.com/topic/297043-specialchars/
Share on other sites

If nothing is being inserted then there is  most likely a problem with the query.

if(!mysqli_query($con, $msg))
{
    trigger_error('Unable to insert message into database: ' . mysqli_error($con));
}

Also your lispa function will not be very good for protecting against sql injection. You should use mysqli_real_escape_string or preferably prepared statements for protecting against sql injection when using user input in your queries.

Link to comment
https://forums.phpfreaks.com/topic/297043-specialchars/#findComment-1514995
Share on other sites

wich one is better?

 

first:

function limpa($data, mysqli $db) { 
    if (is_array($data)) { 
        foreach ($data as &$item) $item = makeSafe($item, $db); 
    } else { 
        $data = $db->real_escape_string($data); 
    } 
    return $data; 
}

second:

function limpa($data){
    if(is_array($data)){die('Warning: trim() expects parameter 1 to be string, array given in /do/u/even/hack/bro?.php on line 69');}
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}
Link to comment
https://forums.phpfreaks.com/topic/297043-specialchars/#findComment-1515000
Share on other sites

The htmlspecialchars() function is not meant to protect you from SQL injections. You'll want to use mysqli_real_escape_string() or prepared statements as suggested by Ch0cu3r.

 

Note that the trim() function should be incorporated into the first option and stripslashes() isn't needed since PHP no longer automatically escapes things like POST and GET variables.

Link to comment
https://forums.phpfreaks.com/topic/297043-specialchars/#findComment-1515002
Share on other sites

The htmlspecialchars() function is not meant to protect you from SQL injections. You'll want to use mysqli_real_escape_string() or prepared statements as suggested by Ch0cu3r.

 

Note that the trim() function should be incorporated into the first option and stripslashes() isn't needed since PHP no longer automatically escapes things like POST and GET variables.

if i use that:

$de = mysqli_real_escape_string($_POST["remetenteMSG"]);
$para = mysqli_real_escape_string($_POST["destinatarioMSG"]);
$assunto = mysqli_real_escape_string($_POST["assuntoMSG"]);
$mensagem = mysqli_real_escape_string($_POST["corpoMSG"]);

it would protect? 

Or should i use "mysqli_real_escape_string" in $mensagem (text editor)?

 

Or should i use both? like: (don't know if this work, just wondering)

$de = limpa(mysqli_real_escape_string($_POST["remetenteMSG"]));
$para = limpa(mysqli_real_escape_string($_POST["destinatarioMSG"]));
$assunto = limpa(mysqli_real_escape_string($_POST["assuntoMSG"]));
$mensagem = limpa(mysqli_real_escape_string($_POST["corpoMSG"]));
Link to comment
https://forums.phpfreaks.com/topic/297043-specialchars/#findComment-1515006
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.