PHP security function

Question

I have make a simple function for security prevent from sql injection and XXS here is my code, any suggestion for this? Is this good enough for security?

function mres($input){
    if(get_magic_quotes_gpc()){
        $input=stripslashes($input);    
    }
    $input=htmlentities($input, ENT_COMPAT, 'UTF-8');
    return mysql_real_escape_string($input);
}

http://stackoverflow.com/q/4223980/285587 – Your Common Sense Jan 24 '13 at 07:07 — Your Common Sense, Jan 24 '13 at 07:07

score 2 · Accepted Answer · answered Jan 24 '13 at 06:40

2

This is wrong in at least two ways:

Turn of magic_quotes completely if you can. At least you are not using it, but $input may not be scalar
htmlentities is for display, not storage. Never encode for storage!
mysql_* functions are deprecated. There is no guarantee you will have an open mysql connection (required) when you call it either.

http://us3.php.net/manual/en/function.mysql-real-escape-string.php

answered Jan 24 '13 at 06:40

Explosion Pills

188,624
52
326
405

so is any way to fix this function? – chien pin wang Jan 24 '13 at 06:46
@chienpinwang no, it's unfixable at this point. Abandon it and all of its contents. Start using `PDO`. – Explosion Pills Jan 24 '13 at 06:54

score 0 · Answer 2 · answered Jan 24 '13 at 07:12

0

Look what you're actually doing:

Magic quotes is a bulk escaping of all incoming data, which makes you vulnerable, as escaping alone doesn't make your data "safe" by any means.

So, you are cleaning these bulk escapes... and then apply the very same escaping again :)

answered Jan 24 '13 at 07:12

Your Common Sense

156,878
40
214
345

Not exactly .. `mysql_real_escape_string` and `addslashes` are not equivalent. Plus `htmlentities` encodes quotes that would be escaped. – Explosion Pills Jan 24 '13 at 14:02

PHP security function

2 Answers2