rofl90 Posted April 3, 2008 Share Posted April 3, 2008 I'm building an application I've always used mysql_real_escape_string but I don't know if it is all good. I don't want to build this entire application to find out its useless. Basically it just needs to clean fields to stop any injections. - Charlie Link to comment https://forums.phpfreaks.com/topic/99314-cleaning/ Share on other sites More sharing options...
darkfreaks Posted April 3, 2008 Share Posted April 3, 2008 that helps along with trim and strip_tags Link to comment https://forums.phpfreaks.com/topic/99314-cleaning/#findComment-508134 Share on other sites More sharing options...
rofl90 Posted April 3, 2008 Author Share Posted April 3, 2008 so all in all: would work.... function clean($resource) { $resource = mysql_real_escape_string($resource); $resource = trim($resource); $resource = strip_tags($resource); return $resource; } Link to comment https://forums.phpfreaks.com/topic/99314-cleaning/#findComment-508138 Share on other sites More sharing options...
darkfreaks Posted April 3, 2008 Share Posted April 3, 2008 yes it would trim cleans up extra spaces mysql_real_escape_string takes care of some special characters but not all. and strip_tags makes all html and php code useless unless you specify it. Link to comment https://forums.phpfreaks.com/topic/99314-cleaning/#findComment-508139 Share on other sites More sharing options...
rofl90 Posted April 3, 2008 Author Share Posted April 3, 2008 "not all"? What would be a completely fool-proof solution. Link to comment https://forums.phpfreaks.com/topic/99314-cleaning/#findComment-508140 Share on other sites More sharing options...
devstudio Posted April 3, 2008 Share Posted April 3, 2008 If you are building an entire application, I would recommend using a database abstraction layer. Even if it is custom-made by you. Just abstract your functions: mysql_connect, mysql_query, etc, and call them via, custom_mysql_query so that you can make changes to code cleaning, etc later. Example (this is *old*, so please forgive any shortcomings): $db_user = ''; $db_pass = ''; $db_name = ''; $tbl_pages = ''; $db_connection = mysql_pconnect('localhost', $db_user, $db_pass) or die("Unable to connect to database."); mysql_select_db($db_name, $db_connection); function db_query($query_string) { global $db_connection; $result_set = mysql_query($query_string, $db_connection) or $error =1; if($error == 1) { $return = 0; } else { $return = $result_set; } return($return); } function db_affected() { global $db_connection; $affected = mysql_affected_rows($db_connection); return($affected); } function db_fetch_array($result_set) { $row_array = mysql_fetch_array($result_set); return($row_array); } function db_fetch_row($result_set) { $row_array = mysql_fetch_row($result_set); return($row_array); } function db_insert_id() { global $db_connection; $insert_id = mysql_insert_id($db_connection); return $insert_id; } function db_num_rows($result_set) { $num_rows = mysql_num_rows($result_set); return($num_rows); } function db_build_insert($table, $array) { $str = "INSERT INTO $table "; $strn = "("; $strv = " VALUES ("; while(list($name,$value) = each($array)) { if(is_bool($value) and ($value != "")) { $strn .= "$name, "; $strv .= ($value ? "true":"false") . ", "; continue; } if(is_string($value) and ($value != "")) { $strn .= "$name, "; $strv .= "'$value', "; continue; } if (!is_null($value) and ($value != "")) { $strn .= "$name, "; $strv .= "$value, "; continue; } } $strn[strlen($strn)-2] = ')'; $strv[strlen($strv)-2] = ')'; $str .= $strn . $strv; return $str; } function db_build_update($table, $array, $where) { if($where != "") { $str = "UPDATE $table SET "; while(list($name,$value) = each($array)) { if(is_string($value) && ($value != '')) { $strp .= "$name='$value', "; } elseif($value != "") { $strp .= "$name=$value, "; } else { $strp .= "$name=NULL, "; } } $strw = " WHERE $where"; $strp = substr($strp, 0, -2); $str .= $strp.$strw; } else { die('<strong>Unconditional Update is not Supported</strong>'); } return $str; } You can sanitize everything before running mysql_query, in the db_query function. The other nice thing about this is you can print every query statement in a debugging mode, if you added a print line to the db_query() function. *Note: Couple of cool builder functions in there, db_build_update and db_build_insert, they accept arrays, and do the fancy sql language for you. Please note, definitely sanitize the input on those arrrays or the resulting sql string! Best, Nathan Link to comment https://forums.phpfreaks.com/topic/99314-cleaning/#findComment-508141 Share on other sites More sharing options...
darkfreaks Posted April 3, 2008 Share Posted April 3, 2008 there is a XSS function i find handy to search patterns and remove it. google "RemoveXSS" its a freesource injection/XSS code, use it with your clean function. should do it. Link to comment https://forums.phpfreaks.com/topic/99314-cleaning/#findComment-508142 Share on other sites More sharing options...
rofl90 Posted April 3, 2008 Author Share Posted April 3, 2008 I do usea database class, I guess that could be easier, but that would then take out appropriate things I'm thinking: I use: $user = $core->clean($_POST['user']); $query = $db->query("INSERT into users(user) VALUES ($user)"); safe? ifi use the function i did earlier @darkfreaks, I'm not allowing pure html throughout, just bbcode. Link to comment https://forums.phpfreaks.com/topic/99314-cleaning/#findComment-508144 Share on other sites More sharing options...
darkfreaks Posted April 3, 2008 Share Posted April 3, 2008 yeah if thats the case your clean function should do it Link to comment https://forums.phpfreaks.com/topic/99314-cleaning/#findComment-508146 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.