ohdang888 Posted December 31, 2007 Share Posted December 31, 2007 does nay1 have any really really good links or advice about preventing injections? Link to comment https://forums.phpfreaks.com/topic/83903-injections/ Share on other sites More sharing options...
Northern Flame Posted December 31, 2007 Share Posted December 31, 2007 mysql_real_escape_string() html_entities() addslashes() and im sure theres more.... Link to comment https://forums.phpfreaks.com/topic/83903-injections/#findComment-427001 Share on other sites More sharing options...
Dane Posted January 1, 2008 Share Posted January 1, 2008 Anything that is going into the database use mysql_real_escape_string Other than that, create checks when submitting data. i.e. if it is a username check for a-zA-Z0-9 only, make sure things like " ; ' etc are not allowed. Link to comment https://forums.phpfreaks.com/topic/83903-injections/#findComment-427045 Share on other sites More sharing options...
kjtocool Posted January 1, 2008 Share Posted January 1, 2008 You can try things like: <?php function escape_text($connection, $text) { // Stripslashes if (get_magic_quotes_gpc()) { $text = stripslashes($text); } // Escape if not a number if (!is_numeric($text)) { $text = mysqli_real_escape_string($connection, $text); } return $text; } function escape_forbidden($text) { // Forbidden characters $forbidden = "/!\@#$%^&*():{}?£¬`\/.,;[]-_+=~<>"; $text = stripslashes($text); // Escape if $text contains forbidden if (strlen($text) != strcspn($text, $forbidden)) { return "invalid"; } else { return "valid"; } } ?> Link to comment https://forums.phpfreaks.com/topic/83903-injections/#findComment-427048 Share on other sites More sharing options...
sKunKbad Posted January 1, 2008 Share Posted January 1, 2008 Typecast everything. If your input expects a string, typecast it to a string, and so on. If you have forms where input is boolean, or dropdown boxes / radio buttons specify choices, make sure that the choices are the only choices accepted by the processing script. Link to comment https://forums.phpfreaks.com/topic/83903-injections/#findComment-427050 Share on other sites More sharing options...
kjtocool Posted January 1, 2008 Share Posted January 1, 2008 Typecast everything. If your input expects a string, typecast it to a string, and so on. If you have forms where input is boolean, or dropdown boxes / radio buttons specify choices, make sure that the choices are the only choices accepted by the processing script. This is also always a good idea. Link to comment https://forums.phpfreaks.com/topic/83903-injections/#findComment-427053 Share on other sites More sharing options...
ohdang888 Posted January 1, 2008 Author Share Posted January 1, 2008 where would i put kjtocool's code? at the start of every page? Link to comment https://forums.phpfreaks.com/topic/83903-injections/#findComment-427485 Share on other sites More sharing options...
trq Posted January 1, 2008 Share Posted January 1, 2008 They are functions and will need to be within scope if you intend to call them. Link to comment https://forums.phpfreaks.com/topic/83903-injections/#findComment-427490 Share on other sites More sharing options...
Daniel0 Posted January 1, 2008 Share Posted January 1, 2008 does nay1 have any really really good links or advice about preventing injections? Prepared statements. <?php try { $db = new PDO('mysql:dbname=database_name;host=localhost', 'username', 'password'); } catch(PDOException $e) { echo 'Connection failed: ' . $e->getMessage(); } $statement = $db->prepare('SELECT * FROM users WHERE username = ? LIMIT 1'); $statement->execute(array($_GET['username'])); $user_info = $statement->fetch(PDO::FETCH_ASSOC); print_r($user_info); ?> Link to comment https://forums.phpfreaks.com/topic/83903-injections/#findComment-427541 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.