I have written this short function to protect against my_sql injection, because of its importance I just want to double check with other's that this will function as I intend. <pre class="prettyprint"><code>foreach($_REQUEST as $key => $value) { $_REQUEST[$key] = stripslashes($value); $_REQUEST[$key] = mysql_real_escape_string($_REQUEST[$key]); } </code></pre>

Well, you use <code>stripslashes()</code> because the <code>magic_quotes_gpc</code> is set? So this code will only work when <code>magic_quotes_gpc</code> is set! I'd recommend you switch it off and dont use the strislashes() call. But note there is nothing like "universal sanitization". Let's call it just quoting, because that's what its all about. When quoting, you always quote text for some particular output, like: <ol> <li>string value for mysql query </li> <li> <code>like</code> expression for mysql query</li> <li>html code</li> <li>json</li> <li>mysql regular expression</li> <li>php regular expression</li> </ol> For each case, you need different quoting, because each usage is present within different syntax context. This also implies that the quoting shouldn't be made at the input into PHP, but at the particular output! Which is the reason why features like <code>magic_quotes_gpc</code> are broken (always assure it is switched off!!!). So, what methods would one use for quoting in these particular cases? (Feel free to correct me, there might be more modern methods, but these are working for me) <ol> <li><code>mysql_real_escape_string($str)</code></li> <li><code>mysql_real_escape_string(addcslashes($str, "%_"))</code></li> <li><code>htmlspecialchars($str)</code></li> <li> <code>json_encode()</code> - only for utf8! I use my function for iso-8859-2</li> <li> <code>mysql_real_escape_string(addcslashes($str, '^.[]$()|*+?{}'))</code> - you cannot use preg_quote in this case because backslash would be escaped two times!</li> <li><code>preg_quote()</code></li> </ol>

If you use PDO (properly) you don't have to worry about MySQL injection. Sample: <pre class="prettyprint"><code>/* Execute a prepared statement by passing an array of insert values */ $calories = 150; $colour = 'red'; $sth = $dbh->prepare('SELECT name, colour, calories FROM fruit WHERE calories < :calories AND colour = :colour'); $sth->execute(array(':calories' => $calories, ':colour' => $colour)); </code></pre> More information

PHP mysql injection protection

I have written this short function to protect against my_sql injection, because of its importance I just want to double check with other's that this will function as I intend.

foreach($_REQUEST as $key => $value) {          
    $_REQUEST[$key] = stripslashes($value);
    $_REQUEST[$key] = mysql_real_escape_string($_REQUEST[$key]);
}

How safe PHP files prevent the SQL injection attacks?

PHP has a specially-made function to prevent these attacks. All you need to do is use the mouthful of a function, mysql_real_escape_string . mysql_real_escape_string takes a string that is going to be used in a MySQL query and return the same string with all SQL injection attempts safely escaped.

What is MySQL injection in PHP?

SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id, the user gives you an SQL statement that you will unknowingly run on your database. Look at the following example which creates a SELECT statement by adding a variable (txtUserId) to a select string.

What is SQL injection attack in PHP?

SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

Does https prevent MySQL injection?

SSL does not protect against SQL injection attacks at all. Prepared statements, views, etc are the solutions to SQL injection.

Well, you use stripslashes() because the magic_quotes_gpc is set? So this code will only work when magic_quotes_gpc is set! I'd recommend you switch it off and dont use the strislashes() call.

But note there is nothing like "universal sanitization". Let's call it just quoting, because that's what its all about.

When quoting, you always quote text for some particular output, like:

string value for mysql query
like expression for mysql query
html code
json
mysql regular expression
php regular expression

For each case, you need different quoting, because each usage is present within different syntax context. This also implies that the quoting shouldn't be made at the input into PHP, but at the particular output! Which is the reason why features like magic_quotes_gpc are broken (always assure it is switched off!!!).

So, what methods would one use for quoting in these particular cases? (Feel free to correct me, there might be more modern methods, but these are working for me)

mysql_real_escape_string($str)
mysql_real_escape_string(addcslashes($str, "%_"))
htmlspecialchars($str)
json_encode() - only for utf8! I use my function for iso-8859-2
mysql_real_escape_string(addcslashes($str, '^.[]$()|*+?{}')) - you cannot use preg_quote in this case because backslash would be escaped two times!
preg_quote()

If you use PDO (properly) you don't have to worry about MySQL injection.

Sample:

/* Execute a prepared statement by passing an array of insert values */
$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour');
$sth->execute(array(':calories' => $calories, ':colour' => $colour));

More information

PHP mysql injection protection

Tags:

php

mysql

sql-injection

code-injection

Johnny Craig

People also ask

2 Answers

Tomas

Arjan

Recent Activity

Donate For Us

PHP mysql injection protection

Tags:

php

mysql

sql-injection

code-injection

Johnny Craig

People also ask

2 Answers

Tomas

Arjan

Related questions

Recent Activity

Donate For Us