Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Artqookie2011-04-22 19:51:21
PHP
Artqookie, 2011-04-22 19:51:21

SQL Injection Protection

Wrote a small function in PHP:

function sql_guard($method, $query, $type)
{
  if ($method == 'POST')
    $safe_text = ($type == 'int') ? intval($_POST["$query"]) : addslashes($_POST["$query"]);
  elseif ($method == "GET")
    $safe_text = ($type == 'int') ? intval($_GET["$query"]) : addslashes($_GET["$query"]);
  else
    $safe_text = ($type == 'int') ? intval($_REQUEST["$query"]) : addslashes($_REQUEST["$query"]);

  return $safe_text;
}


It is applied like this:
$var1 = sql_guard('POST', 'input1');
$var2 = sql_guard('POST', 'input2', 'int');


I think what she does is not worth explaining. And now, in fact, I have a question about the advisability of using such a function. Isn't it easier (and maybe more correct) to do addslashes or intval in the request body itself? Or is it a matter of taste?

I would also like to know what other methods of injection protection should be used. Anyway, general safety tips.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

6 answer(s)
Report
D
DevMan, 2011-04-22
@Artqookie

Discover PDO and placeholders.

Report
N
niko83, 2011-04-22
@niko83

I don’t agree with your line “I think what she does is not worth explaining.”
My comment may not be entirely on the topic of the question, but still I will comment on the code: the function is terrible. Despite the fact that the function has 10 lines, it takes 3 arguments at the input, there are elseif constructs, two types of quotes are used, including such things as $_GET["$query"], three ternary operators
A program written in this style causes VERY large difficulty understanding it.
besides the
line $var1 = sql_guard('POST', 'input1'); will cause an error.
PS: Read McConnell's Perfect Code

Report
Z
Zazza, 2011-04-22
@Zazza

a server without pdo is a very strange thing, is such a miracle necessary?

Report
@
@resurection, 2011-04-27
_

If we replace the entry
$var2 = sql_guard('POST', 'input2', 'int');
to
$var2 = (int) sql_guard('POST', 'input2'); // this construction is shorter by one comma,
then your function can be reduced by 2 times by throwing out all the ternary conditions.
You can also replace:
$var1 = sql_guard('POST', 'input1');
on
$var1 = sql_guard($POST['input1']);
Then your function will turn into an alias and will contain only one call to addSlashes or mysql_real_escape_string

Report
Z
zexel, 2011-04-29
@zexel

mysql_real_escape_string
intval
Only these functions need to be used, intval for numbers, but mysql_real_escape_string for all other types ... I guarantee that there will be no sql injection in this way

Report
V
Vitaly Zheltyakov, 2011-04-22
@VitaZheltyakov

- All data that should not contain quotes is cut by whitelist filtering.
- Data that can be with quotes and that can be cut by filtering is processed by the mysql_real_escape_string function.
There may be encoding problems in your method.

Similar questions
A
Anholle2019-09-09 11:37:42
How to set up a filter in the feedback form? 0Reply
D
Dmitry2019-09-20 14:21:34
Does not download files from utorrent, openwrt firmware? 1Reply
R
ReDeNDeR2021-04-06 13:10:49
How to order raspberry pi in Baku? 4Reply
S
Simon Tis2019-10-03 19:03:22
How all the same to connect a script in header 1C? 3Reply
I
Ivan Zhuravlev2019-10-07 20:13:32
How to set up routing on Raspberry Pi? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question