jlr2k8 Posted June 1, 2007 Share Posted June 1, 2007 Hmmm... there are several ways to prevent an SQL injection... but, is there a more efficient ways than this: $formData=$_POST['formData']; $formData=str_replace("'","'",$formData); $formData=str_replace("\"",""",$formData); $formData=str_replace("<","<",$formData); $formData=str_replace(">",">",$formData); $formData=str_replace("$","$",$formData); I'm looking for a shorter method than this. I want to block potential HTML, database, and server-side hacks. Thanks! Quote Link to comment https://forums.phpfreaks.com/topic/53828-php-sql-injection/ Share on other sites More sharing options...
btherl Posted June 1, 2007 Share Posted June 1, 2007 If you are using mysql, use mysql_real_escape_string(). For html injection, use htmlspecialchars(). The wheel is there already, no need to re-invent Quote Link to comment https://forums.phpfreaks.com/topic/53828-php-sql-injection/#findComment-266110 Share on other sites More sharing options...
jlr2k8 Posted June 1, 2007 Author Share Posted June 1, 2007 Haha thx. I'm using Postgres, so what should I use in place of mysql_real_escape_string()? Quote Link to comment https://forums.phpfreaks.com/topic/53828-php-sql-injection/#findComment-266122 Share on other sites More sharing options...
Lumio Posted June 1, 2007 Share Posted June 1, 2007 Try this: <?php if (get_magic_quotes_gpc()) { $_POST = array_map('stripslashesinarray', $_POST); $_GET = array_map('stripslashesinarray', $_GET); $_COOKIE = array_map('stripslashesinarray', $_COOKIE); $_REQUEST = array_map('stripslashesinarray', $_REQUEST); } function stripslashesinarray($value) { return (is_array($value) ? array_map('stripslashesinarray', $value):stripslashes($value)); } function escape($value) { return ($value == '') ? "''":is_string($value) ? "'".addslashes($value)."'":$value; } $sql = "INSERT INTO `table` SET `column` = '".escape($_POST['column'])."';"; ?> Quote Link to comment https://forums.phpfreaks.com/topic/53828-php-sql-injection/#findComment-266129 Share on other sites More sharing options...
per1os Posted June 1, 2007 Share Posted June 1, 2007 http://us.php.net/manual/en/function.pg-escape-string.php Quote Link to comment https://forums.phpfreaks.com/topic/53828-php-sql-injection/#findComment-266313 Share on other sites More sharing options...
jlr2k8 Posted June 1, 2007 Author Share Posted June 1, 2007 Does the pg_escape_string handle HTML characters, such as <, >, and &? Quote Link to comment https://forums.phpfreaks.com/topic/53828-php-sql-injection/#findComment-266489 Share on other sites More sharing options...
per1os Posted June 1, 2007 Share Posted June 1, 2007 I doubt it handles the html characters, but it will prevent SQL Injection, not against XSS Exploits. But you can use www.php.net/htmlentities I believe to help with that or www.php.net/strip_tags or you can even create your own: www.php.net/str_replace <?php $replace = array("&", "<", ">"); $with = array("&", "<", ">"); $content = "<html> test & this & that </html>"; $content = str_replace($replace, $with, $content); ?> Which in return renders just about all html tags and javascript tags useless. Quote Link to comment https://forums.phpfreaks.com/topic/53828-php-sql-injection/#findComment-266494 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.