rofl90 Posted April 3, 2008 Share Posted April 3, 2008 I'm building an application I've always used mysql_real_escape_string but I don't know if it is all good. I don't want to build this entire application to find out its useless. Basically it just needs to clean fields to stop any injections. - Charlie Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted April 3, 2008 Share Posted April 3, 2008 that helps along with trim and strip_tags Quote Link to comment Share on other sites More sharing options...
rofl90 Posted April 3, 2008 Author Share Posted April 3, 2008 so all in all: would work.... function clean($resource) { $resource = mysql_real_escape_string($resource); $resource = trim($resource); $resource = strip_tags($resource); return $resource; } Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted April 3, 2008 Share Posted April 3, 2008 yes it would trim cleans up extra spaces mysql_real_escape_string takes care of some special characters but not all. and strip_tags makes all html and php code useless unless you specify it. Quote Link to comment Share on other sites More sharing options...
rofl90 Posted April 3, 2008 Author Share Posted April 3, 2008 "not all"? What would be a completely fool-proof solution. Quote Link to comment Share on other sites More sharing options...
devstudio Posted April 3, 2008 Share Posted April 3, 2008 If you are building an entire application, I would recommend using a database abstraction layer. Even if it is custom-made by you. Just abstract your functions: mysql_connect, mysql_query, etc, and call them via, custom_mysql_query so that you can make changes to code cleaning, etc later. Example (this is *old*, so please forgive any shortcomings): $db_user = ''; $db_pass = ''; $db_name = ''; $tbl_pages = ''; $db_connection = mysql_pconnect('localhost', $db_user, $db_pass) or die("Unable to connect to database."); mysql_select_db($db_name, $db_connection); function db_query($query_string) { global $db_connection; $result_set = mysql_query($query_string, $db_connection) or $error =1; if($error == 1) { $return = 0; } else { $return = $result_set; } return($return); } function db_affected() { global $db_connection; $affected = mysql_affected_rows($db_connection); return($affected); } function db_fetch_array($result_set) { $row_array = mysql_fetch_array($result_set); return($row_array); } function db_fetch_row($result_set) { $row_array = mysql_fetch_row($result_set); return($row_array); } function db_insert_id() { global $db_connection; $insert_id = mysql_insert_id($db_connection); return $insert_id; } function db_num_rows($result_set) { $num_rows = mysql_num_rows($result_set); return($num_rows); } function db_build_insert($table, $array) { $str = "INSERT INTO $table "; $strn = "("; $strv = " VALUES ("; while(list($name,$value) = each($array)) { if(is_bool($value) and ($value != "")) { $strn .= "$name, "; $strv .= ($value ? "true":"false") . ", "; continue; } if(is_string($value) and ($value != "")) { $strn .= "$name, "; $strv .= "'$value', "; continue; } if (!is_null($value) and ($value != "")) { $strn .= "$name, "; $strv .= "$value, "; continue; } } $strn[strlen($strn)-2] = ')'; $strv[strlen($strv)-2] = ')'; $str .= $strn . $strv; return $str; } function db_build_update($table, $array, $where) { if($where != "") { $str = "UPDATE $table SET "; while(list($name,$value) = each($array)) { if(is_string($value) && ($value != '')) { $strp .= "$name='$value', "; } elseif($value != "") { $strp .= "$name=$value, "; } else { $strp .= "$name=NULL, "; } } $strw = " WHERE $where"; $strp = substr($strp, 0, -2); $str .= $strp.$strw; } else { die('<strong>Unconditional Update is not Supported</strong>'); } return $str; } You can sanitize everything before running mysql_query, in the db_query function. The other nice thing about this is you can print every query statement in a debugging mode, if you added a print line to the db_query() function. *Note: Couple of cool builder functions in there, db_build_update and db_build_insert, they accept arrays, and do the fancy sql language for you. Please note, definitely sanitize the input on those arrrays or the resulting sql string! Best, Nathan Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted April 3, 2008 Share Posted April 3, 2008 there is a XSS function i find handy to search patterns and remove it. google "RemoveXSS" its a freesource injection/XSS code, use it with your clean function. should do it. Quote Link to comment Share on other sites More sharing options...
rofl90 Posted April 3, 2008 Author Share Posted April 3, 2008 I do usea database class, I guess that could be easier, but that would then take out appropriate things I'm thinking: I use: $user = $core->clean($_POST['user']); $query = $db->query("INSERT into users(user) VALUES ($user)"); safe? ifi use the function i did earlier @darkfreaks, I'm not allowing pure html throughout, just bbcode. Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted April 3, 2008 Share Posted April 3, 2008 yeah if thats the case your clean function should do it Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.