advanced search

We Recommend

Wicked Cool PHP: Real-World Scripts That Solve Difficult Problems Wicked Cool PHP: Real-World Scripts That Solve Difficult Problems
Wicked Cool PHP contains a wide variety of scripts to process credit cards, check the validity of email addresses, template HTML, and serve dynamic images and text.

Posted By

llbbl on 05/27/07


Tagged

mysql php textmate security sql-injection


Versions (?)


Who likes this?

32 people have marked this snippet as a favorite

Roshambo
maxav
basicmagic
rjmestre
johnself
cynic68
MartinY
m0rris
depmed
bitcrumb
fael
togi
vali29
heinz1959
apocalip
benrasmusen
coggla
Steffen82
emuman
JimiJay
DFCNT
Morgano
wbowers
Nils
Baris
dyesin
digiloper
romanos
mmccrack
pixelhandler
JustinCrossman
jayjansheskigmailcom


Anti-SQL Injection Function

Published in: PHP 

Plain TextExpand 
  1. function cleanuserinput($dirty){
  2. 	if (get_magic_quotes_gpc()) {
  3. 		$clean = mysql_real_escape_string(stripslashes($dirty));	 
  4. 	}else{
  5. 		$clean = mysql_real_escape_string($dirty);	
  6. 	} 
  7. 	return $clean;
  8. }
  9.  

Report this snippet 

Comments

RSS Icon Subscribe to comments
Posted By: llbbl on April 2, 2008

*append = prefix

Posted By: llbbl on April 2, 2008

"mysqlrealescapestring() requires that a valid mysql connection"

The "mysql_" appended to the function might have been a clue. :)

Posted By: philipolson on February 27, 2008

Note: mysqlrealescapestring() requires that a valid mysql connection (mysqlconnect()) exists to work... see the PHP manual for details.

Posted By: Shocker on January 30, 2008

Please note almost any string values used in mysql queries should be escaped and not all of these values is user input which has escaped characters from magic quotes GPC. (e.g. regular vars from the script)

I'd add an additional optional parameter (bool) which defines, whether the parameter $dirty is coming from a GPC variable or not. :)

You need to login to post a comment.