In a login script I found onlline, the creator added this function to prevent SQL-injection attacks.
function Fix($str) {
$str = trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
Since I read that magic_quotes_gpc is (or has been) removed, it feels like this function is a bit outdated. Wouldn't just simply using mysqli_real_escape_string($user_input) add sufficient security?
mysql_real_escape_string is not sufficient in all situations but it is definitely very good friend. The better solution is using Prepared Statements
//example from http://php.net/manual/en/pdo.prepared-statements.php
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->bindParam(1, $name);
$stmt->bindParam(2, $value);
// insert one row
$name = 'one';
$value = 1;
$stmt->execute();
Also, not to forget HTMLPurifier that can be used to discard any invalid/suspicious characters.
mysql_real_escape_string() versus Prepared Statements
mysql_real_escape_string()prone to the same kind of issues affectingaddslashes().
Answer From Chris Shiflett (Security Expert)
magic_quotes_gpc is deprecated in 5.3 and removed in 5.4. If your code is intended for distribution (i.e. you don't have control over the environment in which it will be used), it is better to account for the possibility that it will be run in 5.3 with magic quotes enabled. If this is internal application and you have control over the environment, and you know magic quotes are disabled, there is no point to check for them.
