Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
U
U
uniBKO2018-12-26 10:41:41
MySQL
uniBKO, 2018-12-26 10:41:41

Is it possible to replace ' with " in SQL query?

Good afternoon, I have an application that works with both mysql and mssql.
In order to protect him from any leprosy, I use three functions:

<?php
  
  // DATA VALIDATION
  
  function xss_clean($data){

    // Fix &entity\n;
    $data = str_replace(array('&amp;','&lt;','&gt;'), array('&amp;amp;','&amp;lt;','&amp;gt;'), $data);
    $data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
    $data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
    $data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');

    // Remove any attribute starting with "on" or xmlns
    $data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);

    // Remove javascript: and vbscript: protocols
    $data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
    $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
    $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);

    // Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
    $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
    $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
    $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);

    // Remove namespaced elements (we do not need them)
    $data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);

    do{
      // Remove really unwanted tags
      $old_data = $data;
      $data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
    }while ($old_data !== $data);

    // we are done...
    return $data;
  
  }
  
  function slinj($input_text){
    $input_text = str_replace("'", "\"", $input_text);
    $input_text = iconv("UTF-8//IGNORE","WINDOWS-1251//IGNORE", htmlspecialchars(iconv("WINDOWS-1251//IGNORE","UTF-8//IGNORE", $input_text)));
    $input_text = mysql_real_escape_string($input_text);
    return $input_text;
  }
  
  function xss($input_text){
    $input_text = iconv("UTF-8//IGNORE","WINDOWS-1251//IGNORE", htmlspecialchars(iconv("WINDOWS-1251//IGNORE","UTF-8//IGNORE", $input_text)));
    $input_text = iconv("UTF-8//IGNORE","WINDOWS-1251//IGNORE", xss_clean(iconv("WINDOWS-1251//IGNORE","UTF-8//IGNORE", $input_text)));
    //$input_text = xss_clean($input_text);
    return $input_text;
  }
  
?>

Initially, the second one was without $input_text = str_replace("'", "\"", $input_text); and everything worked fine for mysql, but mssql gave an error, then I added this quote replacement, is it possible to do this? ATP)

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
F
FanatPHP, 2018-12-26
@uniBKO

These functions are some kind of horror flying on the wings of the night. mysql_real_escape_string - generally beyond good and evil.
But the main thing that I cannot understand is what does the xss _clean function have to do with my sql and ms sql . Well, that is, I can’t even imagine how a function to protect against xss can be used for any manipulations with SQL. It's - I don't know - how to put money in a burglar condom. It also serves for safety. Well, the money will be safe. Related: For God's sake, use PDO with prepared statements
. This will make all this mouse fuss with regular expressions unnecessary. PDO supports both mysql and mssql, so the difference will be only in the query syntax, and the code for working with queries will be the same

$sql = "SELECT TOP 10 * FROM user where mssql.department_id=?";  
$stmt = $conn->prepare($sql);  
$stmt->execute([$_GET['department_id']]); 
$users = $stmt->fetchAll();

$sql = "SELECT * FROM user where mysql.department_id=? LIMIT 10";  
$stmt = $conn->prepare($sql);  
$stmt->execute([$_GET['department_id']]); 
$users = $stmt->fetchAll();

As you can see, there are no quotes in the queries at all , which makes the question about replacement meaningless.
It is necessary to defend against XSS in a completely different place, and also without all this horror

Similar questions
R
Roman Tuzov2021-03-22 23:47:34
How to count from 0 and beyond? 3Reply
Y
Yaroslav2019-10-03 12:49:21
Where and how to find free labor for the for fun project and where to discuss ideas? 7Reply
R
Roma Kotolup2021-04-28 13:25:11
How to remove shortcut in windows? 4Reply
A
Alex2015-06-29 15:03:19
How to Livereload server side and client side at the same time using Gulp? 2Reply
A
Alexander Reshetnyak2017-06-17 19:35:05
Which Blender plugin is better for creating sprites for games? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question