PHP mysql injection protection

Question

I have written this short function to protect against my_sql injection, because of its importance I just want to double check with other's that this will function as I intend.

foreach($_REQUEST as $key => $value) {          
    $_REQUEST[$key] = stripslashes($value);
    $_REQUEST[$key] = mysql_real_escape_string($_REQUEST[$key]);
}

Don't modify the superglobals. They should be left untouched. If you only ever run your own code, it's "ok". but once you start mixing in other libraries, they may expect/require untouched data, and you've now mangled things. — Marc B, Aug 12 '11 at 16:40

score 11 · Accepted Answer · answered Aug 12 '11 at 16:38

Well, you use stripslashes() because the magic_quotes_gpc is set? So this code will only work when magic_quotes_gpc is set! I'd recommend you switch it off and dont use the strislashes() call.

But note there is nothing like "universal sanitization". Let's call it just quoting, because that's what its all about.

When quoting, you always quote text for some particular output, like:

string value for mysql query
like expression for mysql query
html code
json
mysql regular expression
php regular expression

For each case, you need different quoting, because each usage is present within different syntax context. This also implies that the quoting shouldn't be made at the input into PHP, but at the particular output! Which is the reason why features like magic_quotes_gpc are broken (always assure it is switched off!!!).

So, what methods would one use for quoting in these particular cases? (Feel free to correct me, there might be more modern methods, but these are working for me)

mysql_real_escape_string($str)
mysql_real_escape_string(addcslashes($str, "%_"))
htmlspecialchars($str)
json_encode() - only for utf8! I use my function for iso-8859-2
mysql_real_escape_string(addcslashes($str, '^.[]$()|*+?{}')) - you cannot use preg_quote in this case because backslash would be escaped two times!
preg_quote()

@Karolis, do you mean character encoding? I don't think you need to check input character encoding, if you have everything set properly. — Tomas, Aug 12 '11 at 16:59

score 5 · Answer 2 · answered Aug 12 '11 at 16:40

5

If you use PDO (properly) you don't have to worry about MySQL injection.

Sample:

/* Execute a prepared statement by passing an array of insert values */
$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour');
$sth->execute(array(':calories' => $calories, ':colour' => $colour));

More information

answered Aug 12 '11 at 16:40

Arjan

9,784
1
31
41

Ive seen this type of coding but never knew the purpose. I will research it so I can begin using it at the start of my next project. Thank you – Johnny Craig Aug 12 '11 at 16:43
This is THE best way to avoid sql injection. – Erlend Aug 16 '11 at 15:41

score 3 · Answer 3 · edited Jun 20 '20 at 09:12

3

Seems like a bit of sledgehammer approach. You don't need stripslashes unless your running magic_quotes. Type-Casting can be more elegant when you know you want int, float or bool.

Further Info:

Type-Casting: http://php.net/manual/en/language.types.type-juggling.php

testing for magic quotes: http://www.php.net/manual/en/function.get-magic-quotes-gpc.php (Thanks Karolis)

edited Jun 20 '20 at 09:12

Community

1
1

answered Aug 12 '11 at 16:33

Shad

15,134
2
22
34

can you please link me to a resource with more information on what you propose to do – Johnny Craig Aug 12 '11 at 16:35
1

@Johnny `if (get_magic_quotes_gpc()) $_REQUEST[$key] = stripslashes($value);` – Karolis Aug 12 '11 at 16:38

score 1 · Answer 4 · answered Jul 04 '12 at 19:48

Tomas's suggestion is good, but you should always keep them both in mind, so this can be great:

if (get_magic_quotes_gpc()) { // Check if magic quotes are enabled
    foreach($_REQUEST as $key => $value) {          
       $_REQUEST[$key] = stripslashes($value);
       $_REQUEST[$key] = stripslashes($_REQUEST[$key])
    } 
} else {
    foreach($_REQUEST as $key => $value) {
      $_REQUEST[$key] = mysql_real_escape_string($value);
      $_REQUEST[$key] = mysql_real_escape_string($_REQUEST[$key]);
    } 
}

score 1 · Answer 5 · answered Aug 12 '11 at 16:31

1

you need to explicitly add the database connection identifier into

mysql_real_escape_string(..., $db_connection_identifier);

mysql_real_escape_string

string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )

answered Aug 12 '11 at 16:31

ajreal

46,720
11
89
119

so if my connection is $con = mysql_connect("localhost"... i should add: $_REQUEST[$key] = mysql_real_escape_string($_REQUEST[$key],$con); ? – Johnny Craig Aug 12 '11 at 16:34
yes, to avoid problem mentioned here http://stackoverflow.com/questions/1220182/does-mysql-real-escape-string-fully-protect-against-sql-injection and http://stackoverflow.com/questions/4243657/someone-has-hacked-my-database-how-did-this-guy-do-it/4244562#4244562 – ajreal Aug 12 '11 at 16:35
The syntax diagram says that the link identifier is optional. So unless you have multiple database connections open, you don't really _need_ to add the argument explicitly. – Barmar Jun 06 '14 at 22:51

score 1 · Answer 6 · answered Aug 12 '11 at 16:32

1

If you include arbitrary $keys in your query, you should escape those too.

answered Aug 12 '11 at 16:32

Jared Ng

4,891
2
19
18

I had not thought of that, I don't do that often. But i am glad you brought that up for the times when I do. – Johnny Craig Aug 12 '11 at 16:37

PHP mysql injection protection

6 Answers6

Further Info:

Linked