function quote_smart($value)
{
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
thanks
0
Will this protect from SQL Injection?
Started by Chris., Oct 10 2006 08:16 PM
5 replies to this topic
#1
-
- Members
-
- 129 posts
Young Padawan
- Gender:Male
Posted 10 October 2006 - 08:16 PM
I was wondering if something like this would protect from SQL Injection. Here is the code (Got it from PHP, I just want to be sure).
thanks
thanks
#2
-
- Members
-
- 716 posts
P2L Jedi
- Gender:Male
- Location:Texas
Posted 11 October 2006 - 02:46 AM
I've always believed that htmlspecialchars() and strip_tags() would help with validating user input before using it.
#3
-
- P2L Staff
-
- 1,945 posts
Moderator
- Gender:Not Telling
Posted 11 October 2006 - 06:26 AM
Yes when I use values I have a global function which does strip_tags, htmlspecialchars and mysql_real_escape_string.
can never be too sure these days.
Matt
can never be too sure these days.
Matt
#4
-
- Members
-
- 2,749 posts
Official Spammer .Matt
- Gender:Male
- Location:England
Posted 11 October 2006 - 06:56 AM
The code you posted above will work (just wondering why you are adding a single quote to the escaped value?) however checking for both magic quotes and if the value i numeric is pretty inefficient especially since it will be used many times during the script. I use a function that reverses the effect of magic quotes (strips the string of slashes) to add superglobals before i use them so i can simply add the slashes myself (using addlsashes or mysql_escape_string).
However for you this will do fine:
If you do not strip the slashes first you will end up with a double escaped string due to magic quotes which is an annoyance when using it as you will only end up having to use stripslashes again.
As long as the quotes are escaped you will have no problems.
However for you this will do fine:
$value = addslashes( stripslashes( $value ) );
If you do not strip the slashes first you will end up with a double escaped string due to magic quotes which is an annoyance when using it as you will only end up having to use stripslashes again.
As long as the quotes are escaped you will have no problems.
Edited by Matthew., 11 October 2006 - 06:57 AM.
#5
-
- P2L Staff
-
- 3,827 posts
PHP Master PD
- Gender:Male
- Location:Here
- Interests:Web Development
Posted 12 October 2006 - 02:58 PM
Actually, htmlspecialchars and strip_tags do nohting to validate input or protect mySQL. In fact, doing both to the same string is a waste of time. The only time you would want to run either is when you're going to dislpay info in something like a shoutbox.
Personally, i think the follwing would work better (for strings to be used in mysql queries only).
Personally, i think the follwing would work better (for strings to be used in mysql queries only).
function quote_smart($value){
if (get_magic_quotes_gpc()){
$value = stripslashes($value);
}
return mysql_real_escape_string($value);
}
#6
-
- P2L Staff
-
- 1,850 posts
P2L Staff
- Gender:Male
- Location:Saskatoon, Saskatchewan
- Interests:Guitar, Programming, Storm Chasing, Games (Designing and playing), Hockey, Photography
Posted 12 October 2006 - 05:01 PM
Just a general question, what does the get_magic_quotes_gpc() and get_magic_quotes_runtime() do exactly. I was searching on php.net but didn't find a good definition.
EDIT: Did some digging and found everything out
dEcade
EDIT: Did some digging and found everything out
dEcade
Edited by dEcade, 12 October 2006 - 05:07 PM.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
