jlr2k8 Posted June 1, 2007 Share Posted June 1, 2007 Hmmm... there are several ways to prevent an SQL injection... but, is there a more efficient ways than this: $formData=$_POST['formData']; $formData=str_replace("'","'",$formData); $formData=str_replace("\"",""",$formData); $formData=str_replace("<","<",$formData); $formData=str_replace(">",">",$formData); $formData=str_replace("$","$",$formData); I'm looking for a shorter method than this. I want to block potential HTML, database, and server-side hacks. Thanks! Link to comment https://forums.phpfreaks.com/topic/53828-php-sql-injection/ Share on other sites More sharing options...
btherl Posted June 1, 2007 Share Posted June 1, 2007 If you are using mysql, use mysql_real_escape_string(). For html injection, use htmlspecialchars(). The wheel is there already, no need to re-invent Link to comment https://forums.phpfreaks.com/topic/53828-php-sql-injection/#findComment-266110 Share on other sites More sharing options...
jlr2k8 Posted June 1, 2007 Author Share Posted June 1, 2007 Haha thx. I'm using Postgres, so what should I use in place of mysql_real_escape_string()? Link to comment https://forums.phpfreaks.com/topic/53828-php-sql-injection/#findComment-266122 Share on other sites More sharing options...
Lumio Posted June 1, 2007 Share Posted June 1, 2007 Try this: <?php if (get_magic_quotes_gpc()) { $_POST = array_map('stripslashesinarray', $_POST); $_GET = array_map('stripslashesinarray', $_GET); $_COOKIE = array_map('stripslashesinarray', $_COOKIE); $_REQUEST = array_map('stripslashesinarray', $_REQUEST); } function stripslashesinarray($value) { return (is_array($value) ? array_map('stripslashesinarray', $value):stripslashes($value)); } function escape($value) { return ($value == '') ? "''":is_string($value) ? "'".addslashes($value)."'":$value; } $sql = "INSERT INTO `table` SET `column` = '".escape($_POST['column'])."';"; ?> Link to comment https://forums.phpfreaks.com/topic/53828-php-sql-injection/#findComment-266129 Share on other sites More sharing options...
per1os Posted June 1, 2007 Share Posted June 1, 2007 http://us.php.net/manual/en/function.pg-escape-string.php Link to comment https://forums.phpfreaks.com/topic/53828-php-sql-injection/#findComment-266313 Share on other sites More sharing options...
jlr2k8 Posted June 1, 2007 Author Share Posted June 1, 2007 Does the pg_escape_string handle HTML characters, such as <, >, and &? Link to comment https://forums.phpfreaks.com/topic/53828-php-sql-injection/#findComment-266489 Share on other sites More sharing options...
per1os Posted June 1, 2007 Share Posted June 1, 2007 I doubt it handles the html characters, but it will prevent SQL Injection, not against XSS Exploits. But you can use www.php.net/htmlentities I believe to help with that or www.php.net/strip_tags or you can even create your own: www.php.net/str_replace <?php $replace = array("&", "<", ">"); $with = array("&", "<", ">"); $content = "<html> test & this & that </html>"; $content = str_replace($replace, $with, $content); ?> Which in return renders just about all html tags and javascript tags useless. Link to comment https://forums.phpfreaks.com/topic/53828-php-sql-injection/#findComment-266494 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.