Posted By

llbbl on 05/27/07


Tagged

mysql php textmate security sql-injection


Versions (?)

Who likes this?

169 people have marked this snippet as a favorite

Roshambo
maxav
basicmagic
rjmestre
johnself
cynic68
MartinY
m0rris
depmed
bitcrumb
fael
togi
vali29
heinz1959
apocalip
benrasmusen
coggla
Steffen82
emuman
JimiJay
DFCNT
Morgano
wirjo
wbowers
Nils
Baris
dyesin
digiloper
romanos
mmccrack
pixelhandler
JustinCrossman
jayjansheskigmailcom
Mithun
Leech
tikitakfire
sumandahal
willwish
Shocm
joaosalless
salibaray
iconsis
luggnagger
baqc
thermosilla
LostCore
wizard04
Hilyin
Nix
kungpoo
tjombka
vevhlos
ntulip
xtheonex
localhorst
rizzn2k
tewoos
owais
kernelpanics
rezzz
publicbroadcast
maorb
hamiltonmascioli
thadwheeler
nb109
gtalmes
exentrich
jcroom
joet3ch
acosonic
KF
Gr33d
rene-design
sultano
polarbear
lunacye
kellyrmartin
gutierrezgcf
GandalfGrey
afj176
cindreta
bigredjoe
quoctien82
jaff
larste
khaled
oktijum
tariel
novatvstdios
alexteg
limenet
galofre
colingardom
kaartz
hsousa
alessio2
nerdfiles
joethermal
osirisinternet
cartercole
iamadams
isholgueras
shawntysco
ahmedalttai
nextneed
vkolev
bmayzure
miceno
koteus
rabc
pgorrindo
corangar
gnitter
cjmling
seanpowell
bobbym245
jafar
hugeidea
doctrine
martins
beebs93
barbietunnie
eme_dlr
broikmann
tspitzr
rave
ilyasishak
mmcachran
CyKy
JCMais
salimi
samkamerer
lfcortes
Gordy
NeekGerd
sauloperez
luckystokes
jdenmark
prit
sjacunningham
longstaff
summer_charlie
qubestream
benediktvaldez
Adrian
Ideandro
carcinogen75
banjomamo
dixon
prismatiq
shalomfriss
rusty_richards
jsamackay
sharktale
surekin
Balamir
masta
White
miguelcanijo
rmethod
welancers
fvanommen
ColdKeyboard
ajcarrillo
bdario
ekarakas
3polars
gunnard
GitarMan


Anti-SQL Injection Function


 / Published in: PHP
 

  1. function cleanuserinput($dirty){
  2. }else{
  3. $clean = mysql_real_escape_string($dirty);
  4. }
  5. return $clean;
  6. }
  7.  

Report this snippet  

Comments

RSS Icon Subscribe to comments
Posted By: Shocker on January 30, 2008

Please note almost any string values used in mysql queries should be escaped and not all of these values is user input which has escaped characters from magic quotes GPC. (e.g. regular vars from the script)

I'd add an additional optional parameter (bool) which defines, whether the parameter $dirty is coming from a GPC variable or not. :)

Posted By: philipolson on February 27, 2008

Note: mysqlrealescapestring() requires that a valid mysql connection (mysqlconnect()) exists to work... see the PHP manual for details.

Posted By: llbbl on April 2, 2008

"mysqlrealescapestring() requires that a valid mysql connection"

The "mysql_" appended to the function might have been a clue. :)

Posted By: llbbl on April 2, 2008

*append = prefix

Posted By: sarfraznawaz2005 on February 11, 2009

With mysqlrealescape_string alone, you are not 100% secure, consider going for function titled "Prevent SQL Injection".

Posted By: sarfraznawaz2005 on February 11, 2009

With mysqlrealescape_string alone, you are not 100% secure, consider going for function titled "Prevent SQL Injection".

Posted By: toltmanns on January 6, 2011

sarfraznawaz2005 - what else can be done to secure the input to a further degree?

Posted By: adkatrit on February 18, 2011

This does not prevent sql injection. It takes care of several special characters, and that's about it. it does nothing to prevent the injection of wildcard characters such as % and _ also consider numerical values in sql terms, they do not need to be enclosed in single or double quotes, so mysqlrealescapestring, does just that. It escapes strings. Notice the function was not called mysqlprevent_injection. This is why sql injection is still in the wild: developers that are trying to find an easy solution to something that is implementation specific and requires attention to detail for mitigation. If you want to prevent or lessen the risk of sql injection, read more about implementing sql injection not about preventing sql injection. You'll find much more useful solutions by reading the blogs or books written by pentesters who are actively trying to defeat these protections.... just saying

Posted By: timkinnane on March 22, 2011

append != prefix append = suffix prepend = prefix

Posted By: fjckls on April 19, 2011

what about this: http://www.w3schools.com/PHP/funcmysqlrealescapestring.asp

You need to login to post a comment.