Your Ad Here

advanced code snippet search

Anti-SQL Injection Function

 / Published in: PHP
 
Expand | Embed | Plain Text 
  1. function cleanuserinput($dirty){
  2. 	if (get_magic_quotes_gpc()) {
  3. 		$clean = mysql_real_escape_string(stripslashes($dirty));	 
  4. 	}else{
  5. 		$clean = mysql_real_escape_string($dirty);	
  6. 	} 
  7. 	return $clean;
  8. }
  9.  

Report this snippet  

Comments

RSS Icon Subscribe to comments
Posted By: Shocker on January 30, 2008

Please note almost any string values used in mysql queries should be escaped and not all of these values is user input which has escaped characters from magic quotes GPC. (e.g. regular vars from the script)

I'd add an additional optional parameter (bool) which defines, whether the parameter $dirty is coming from a GPC variable or not. :)

Posted By: philipolson on February 27, 2008

Note: mysqlrealescapestring() requires that a valid mysql connection (mysqlconnect()) exists to work... see the PHP manual for details.

Posted By: llbbl on April 2, 2008

"mysqlrealescapestring() requires that a valid mysql connection"

The "mysql_" appended to the function might have been a clue. :)

Posted By: llbbl on April 2, 2008

*append = prefix

Posted By: sarfraznawaz2005 on February 11, 2009

With mysqlrealescape_string alone, you are not 100% secure, consider going for function titled "Prevent SQL Injection".

Posted By: sarfraznawaz2005 on February 11, 2009

With mysqlrealescape_string alone, you are not 100% secure, consider going for function titled "Prevent SQL Injection".

Posted By: toltmanns on January 6, 2011

sarfraznawaz2005 - what else can be done to secure the input to a further degree?

Posted By: adkatrit on February 18, 2011

This does not prevent sql injection. It takes care of several special characters, and that's about it. it does nothing to prevent the injection of wildcard characters such as % and _ also consider numerical values in sql terms, they do not need to be enclosed in single or double quotes, so mysqlrealescapestring, does just that. It escapes strings. Notice the function was not called mysqlprevent_injection. This is why sql injection is still in the wild: developers that are trying to find an easy solution to something that is implementation specific and requires attention to detail for mitigation. If you want to prevent or lessen the risk of sql injection, read more about implementing sql injection not about preventing sql injection. You'll find much more useful solutions by reading the blogs or books written by pentesters who are actively trying to defeat these protections.... just saying

Posted By: timkinnane on March 22, 2011

append != prefix append = suffix prepend = prefix

Posted By: fjckls on April 19, 2011

what about this: http://www.w3schools.com/PHP/funcmysqlrealescapestring.asp

You need to login to post a comment.