ohdang888 Posted December 31, 2007 Share Posted December 31, 2007 does nay1 have any really really good links or advice about preventing injections? Quote Link to comment Share on other sites More sharing options...
Northern Flame Posted December 31, 2007 Share Posted December 31, 2007 mysql_real_escape_string() html_entities() addslashes() and im sure theres more.... Quote Link to comment Share on other sites More sharing options...
Dane Posted January 1, 2008 Share Posted January 1, 2008 Anything that is going into the database use mysql_real_escape_string Other than that, create checks when submitting data. i.e. if it is a username check for a-zA-Z0-9 only, make sure things like " ; ' etc are not allowed. Quote Link to comment Share on other sites More sharing options...
kjtocool Posted January 1, 2008 Share Posted January 1, 2008 You can try things like: <?php function escape_text($connection, $text) { // Stripslashes if (get_magic_quotes_gpc()) { $text = stripslashes($text); } // Escape if not a number if (!is_numeric($text)) { $text = mysqli_real_escape_string($connection, $text); } return $text; } function escape_forbidden($text) { // Forbidden characters $forbidden = "/!\@#$%^&*():{}?£¬`\/.,;[]-_+=~<>"; $text = stripslashes($text); // Escape if $text contains forbidden if (strlen($text) != strcspn($text, $forbidden)) { return "invalid"; } else { return "valid"; } } ?> Quote Link to comment Share on other sites More sharing options...
sKunKbad Posted January 1, 2008 Share Posted January 1, 2008 Typecast everything. If your input expects a string, typecast it to a string, and so on. If you have forms where input is boolean, or dropdown boxes / radio buttons specify choices, make sure that the choices are the only choices accepted by the processing script. Quote Link to comment Share on other sites More sharing options...
kjtocool Posted January 1, 2008 Share Posted January 1, 2008 Typecast everything. If your input expects a string, typecast it to a string, and so on. If you have forms where input is boolean, or dropdown boxes / radio buttons specify choices, make sure that the choices are the only choices accepted by the processing script. This is also always a good idea. Quote Link to comment Share on other sites More sharing options...
ohdang888 Posted January 1, 2008 Author Share Posted January 1, 2008 where would i put kjtocool's code? at the start of every page? Quote Link to comment Share on other sites More sharing options...
trq Posted January 1, 2008 Share Posted January 1, 2008 They are functions and will need to be within scope if you intend to call them. Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted January 1, 2008 Share Posted January 1, 2008 does nay1 have any really really good links or advice about preventing injections? Prepared statements. <?php try { $db = new PDO('mysql:dbname=database_name;host=localhost', 'username', 'password'); } catch(PDOException $e) { echo 'Connection failed: ' . $e->getMessage(); } $statement = $db->prepare('SELECT * FROM users WHERE username = ? LIMIT 1'); $statement->execute(array($_GET['username'])); $user_info = $statement->fetch(PDO::FETCH_ASSOC); print_r($user_info); ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.