mschrank99 Posted January 18, 2007 Share Posted January 18, 2007 Does anyone know if there is a way to strip out SQL code from $_POST variables?Perhaps a function similar to strip_tags but instead of catching HTML, it catches SQL statements? Thanks,Matthew Quote Link to comment Share on other sites More sharing options...
Crimpage Posted January 18, 2007 Share Posted January 18, 2007 I'm not sure how you would do that exactly. HTML is easily definable because they are enclosed within <>. SQL is not, unless you strip all SELECT, FROM and WHERE words from $_POST.What sort of SQL injection are you worried about? are you directly running an entry from a post field into an sql statement?If not, just look at addslashes().Cheers,Dave Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted January 18, 2007 Share Posted January 18, 2007 The better function for this is [url=http://www.php.net/mysql_real_escape_string]mysql_real_escape_string()[/url]Ken Quote Link to comment Share on other sites More sharing options...
kevinkorb Posted January 19, 2007 Share Posted January 19, 2007 A way I like to clean my $_POST array...[code=php:0]<?phpfunction clean_array($array) { $new_array = array(); foreach($array AS $key => $val) { $new_array[$key] = mysql_real_escape_string($val); } return $new_array;}?>[/code] Quote Link to comment Share on other sites More sharing options...
kevinkorb Posted January 19, 2007 Share Posted January 19, 2007 So then to use it.. (obviously)[code=php:0]$_POST = clean_array($_POST);//Or to leave the $_POST intact.$_clean = clean_array($_POST);[/code] Quote Link to comment Share on other sites More sharing options...
c4onastick Posted January 19, 2007 Share Posted January 19, 2007 I use PEAR::DB, its all taken care of internally. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.