phpmo Posted June 29, 2007 Share Posted June 29, 2007 I have a large site and I've done my best to validate all the variables but several weird things have happened to my DB that have me concerned a little about SQL Injection. Is there a way without knowing all the variables on each page in an array that I I can mysql_escape all of the passed variables. I found this but can't tell if it works and I don't know enough about it. I have a header that is loaded on all pages so I just included this in it. foreach($_POST as $key => $value){ if(get_magic_quotes_gpc()){ $value = stripslashes($value); } $_POST[$key] = mysql_real_escape_string(trim($value)); } foreach($_GET as $key => $value){ if(get_magic_quotes_gpc()){ $value = stripslashes($value); } $_GET[$key] = mysql_real_escape_string(trim($value)); } Link to comment https://forums.phpfreaks.com/topic/57724-escape-all-_post-and-_get/ Share on other sites More sharing options...
KevinM1 Posted June 29, 2007 Share Posted June 29, 2007 It looks like that should work, although I recommend putting your if-statement in one spot for readablity and easier maintenance. I typically make my own escape function to do that, something like: <?php function myEscape($string){ return (get_magic_quotes_gpc) ? mysql_real_escape_string(stripslashes($string)) : mysql_real_escape_string($string); } foreach($_GET as $key => $value){ $_GET[$key] = myEscape($value); } foreach($_POST as $key => $value){ $_POST[$key] = myEscape($value); } ?> Given your concerns about SQL attacks, how are you validating your data beyond escaping it? Link to comment https://forums.phpfreaks.com/topic/57724-escape-all-_post-and-_get/#findComment-285811 Share on other sites More sharing options...
phpmo Posted June 29, 2007 Author Share Posted June 29, 2007 Basically anything that is only a number I do an is_numeric which should cover anything. Strings I usually will do a $var = htmlspecialchars($var); as well as the escape. Link to comment https://forums.phpfreaks.com/topic/57724-escape-all-_post-and-_get/#findComment-285838 Share on other sites More sharing options...
phpmo Posted June 29, 2007 Author Share Posted June 29, 2007 I also forgot to mention that I have Magic Quotes turned on. Link to comment https://forums.phpfreaks.com/topic/57724-escape-all-_post-and-_get/#findComment-285861 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.