psychohagis Posted January 5, 2007 Share Posted January 5, 2007 I am currently building a site, and I am becoming worried about putting it online because Ive heard a lot of people talking about security.I can see how someone could just type sql into an field and hack the server, so want I wanna know is. what is/are the best way/s to keep my database secure, and how can I strip sql out of inputs? Quote Link to comment https://forums.phpfreaks.com/topic/33007-how-to-make-inputs-secure/ Share on other sites More sharing options...
.josh Posted January 5, 2007 Share Posted January 5, 2007 [code]function clean_var($value){ if (get_magic_quotes_gpc()) { stripslashes($value); } if (!is_numeric($value)) { mysql_real_escape_string($value); } return $value;}[/code] Quote Link to comment https://forums.phpfreaks.com/topic/33007-how-to-make-inputs-secure/#findComment-153679 Share on other sites More sharing options...
psychohagis Posted January 5, 2007 Author Share Posted January 5, 2007 should I do that with every variable before i run it through sql? and presumably i can replace $value with my own variables Quote Link to comment https://forums.phpfreaks.com/topic/33007-how-to-make-inputs-secure/#findComment-153680 Share on other sites More sharing options...
.josh Posted January 5, 2007 Share Posted January 5, 2007 yes. every variable. and it's a function that you pass the variable to and it returns the cleaned variable. example:[code]<?php // put this function somewhere in your script or include it from another file or somethingfunction clean_var($value){ if (get_magic_quotes_gpc()) { stripslashes($value); } if (!is_numeric($value)) { mysql_real_escape_string($value); } return $value;} // end clean_var// example:if ($_POST['blah']) { $blah = clean_var($_POST['blah']);} // end if posted var// example to automate it with multiple posted vars:if ($_POST) { foreach ($_POST as $key => $val) { $val = clean_var($val); $$key = $val; } // end foreach $_POST // you now have a list of variables named whatever you named them in // your form input fields, cleaned and ready to go.} // end if posted vars?>[/code] Quote Link to comment https://forums.phpfreaks.com/topic/33007-how-to-make-inputs-secure/#findComment-153687 Share on other sites More sharing options...
psychohagis Posted January 5, 2007 Author Share Posted January 5, 2007 so sorry. do i use all of that or are they seperate examples. does the last one just loop through all you posted variables and clean them? cos then presumably I could just go [b]$blah=$_POST['blah'];[/b] and it would already be clean? Quote Link to comment https://forums.phpfreaks.com/topic/33007-how-to-make-inputs-secure/#findComment-153693 Share on other sites More sharing options...
.josh Posted January 5, 2007 Share Posted January 5, 2007 the function is needed to clean the variables. the other 2 things are seperate examples. The first example shows how to do it individually. The 2nd example shows how to loop through all of them, so that you don't have to individually type out each variable, which is useful if your form has lots and lots of variables. Also it is useful because if you go and add another input field in your form, you won't have to go back and add it to the list of vars to clean here. but if you want to do it individually, it works just the same. and doing [code]$blah = $_POST['blah'];[/code]does not clean the posted variable. It simply assigns the same (possibly tainted) data to $blah. That's what the clean_var function is for. It should look like this:[code]$blah = clean_var($_POST['blah']);[/code]I looked back and made a mistake in my example. I did clean_var($blah) it should be like ^ Quote Link to comment https://forums.phpfreaks.com/topic/33007-how-to-make-inputs-secure/#findComment-153697 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.