Jump to content

escape all _POST and _Get


phpmo

Recommended Posts

I have a large site and I've done my best to validate all the variables but several weird things have happened to my DB that have me concerned a little about SQL Injection.

 

Is there a way without knowing all the variables on each page in an array that I I can mysql_escape all of the passed variables.

 

I found this but can't tell if it works and I don't know enough about it.

 

I have a header that is loaded on all pages so I just included this in it.

 

foreach($_POST as $key => $value){
if(get_magic_quotes_gpc()){
$value = stripslashes($value);
}
$_POST[$key] = mysql_real_escape_string(trim($value));
}

foreach($_GET as $key => $value){
if(get_magic_quotes_gpc()){
$value = stripslashes($value);
}
$_GET[$key] = mysql_real_escape_string(trim($value));
}

Link to comment
https://forums.phpfreaks.com/topic/57724-escape-all-_post-and-_get/
Share on other sites

It looks like that should work, although I recommend putting your if-statement in one spot for readablity and easier maintenance.  I typically make my own escape function to do that, something like:

<?php

function myEscape($string){
   return (get_magic_quotes_gpc) ? mysql_real_escape_string(stripslashes($string)) : mysql_real_escape_string($string);
}

foreach($_GET as $key => $value){
   $_GET[$key] = myEscape($value);
}

foreach($_POST as $key => $value){
   $_POST[$key] = myEscape($value);
}

?>

 

Given your concerns about SQL attacks, how are you validating your data beyond escaping it?

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.