0

I have a security function but I have a problem I use - MySQLi

I use this function secure:

function secure ($string) {
  $string = htmlspecialchars($string);
  $string = strip_tags($string);
  $string = stripcslashes($string);
  $string = $mysqli -> real_escape_string($string);
  return $string;}

The problem it seems to me an error:

Fatal error: Call to a member function real_escape_string() on a non-object in

Thank you!

Prashant Kumar
  • 20,069
  • 14
  • 47
  • 63
  • 2
    The variable `$mysqli` is not in scope in this function. Pass it as a parameter `function secure($string, $mysqli)` – Michael Berkowski Sep 19 '13 at 23:48
  • You haven't set the variable `$mysqli`. You either need to pass it as an argument to the function, or declare it with `global $mysqli;`. – Barmar Sep 19 '13 at 23:48
  • 4
    thats over kill and wrong –  Sep 19 '13 at 23:49
  • You shouldn't use `htmlspecialchars()` when putting into the database, you should use `htmlentities()` when rendering. – Barmar Sep 19 '13 at 23:49
  • It is not usually recommended to call `htmlspecialchars()` before storing it the database. That should be done only on output rather than modifying before storage. Indeed, the subsequent `strip_tags()` does absoluetely _nothing_ since `htmlspecialchars()` has already encoded the `<>`. Any tags in the input string are no longer tags after encoding. – Michael Berkowski Sep 19 '13 at 23:49
  • This function does plenty of completely unnecessary (possibly harmful) things. See [The ultimate clean/secure function](http://stackoverflow.com/q/4223980) – Pekka Sep 19 '13 at 23:50
  • Since you're using mysqli, why are you doing any of this, when you could be using prepared statements? – Barmar Sep 19 '13 at 23:50

3 Answers3

0

You could do a couple of things. Maybe do something like:

function secure($connection, $string) {
  return $connection->real_escape_string(htmlentities(strip_tags(stripcslashes($string))), 3, 'UTF-8');
}

Personally I would store something on a secure page, like:

function db(){
  return new mysqli(/*arguments here*/);
}

Then do something like:

function secure($string){
  $db = db();
  $str = $db->real_escape_string(htmlentities(strip_tags(stripcslashes($string))), 3, 'UTF-8');
  $db->close();
  return $str;
  }

Obviously, this is not JavaScript, so you have a scope issue.

StackSlave
  • 10,613
  • 2
  • 18
  • 35
0

If you want your function works you have to pass as argument the $mysqli object

Like this:

function secure ($string,$mysqli) {
  $string = htmlspecialchars($string);
  $string = strip_tags($string);
  $string = stripcslashes($string);
  $string = $mysqli -> real_escape_string($string);
  return $string;}

I advice to you, don't use this function:

1- Is over kill and wrong @Dagon's comment.(Agree)
2- Since you're using mysqli, why are you doing any of this, when you could be using prepared statements? @barmar's comment.(Agree)
3- You shouldn't use htmlspecialchars() when putting into the database, you should use htmlentities() when rendering @bamar comment.(Agree)

Above are for me the main reason for not using

You can use Prepare Staments instead, an example from the manual 
/* create a prepared statement */
$stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?");

/* bind parameters for markers */
$stmt->bind_param("s", $city);

/* execute query */
$stmt->execute();

/* bind result variables */
$stmt->bind_result($district);

/* fetch value */
$stmt->fetch();

printf("%s is in district %s\n", $city, $district);

/* close statement */
$stmt->close();
Emilio Gort
  • 3,475
  • 3
  • 29
  • 44
0

Why are you going through these questions asking about how you can sanitize your inputs so that you can build SQL statements from outside data? Building SQL statements from outside data is dangerous.

Rather than wasting your time worrying about how you can come up with another halfway thought out "solution", stop and put on your Big Programmer Pants and start using prepared statements and bound variables.

Here is a fantastic answer that will get you started: How can I prevent SQL injection in PHP?

You can also check http://bobby-tables.com/php for other examples.

Looks to me like you can still do prepared statements and bound variables with Oracle: http://php.net/manual/en/function.oci-bind-by-name.php or through PDO http://php.net/manual/en/pdostatement.bindparam.php

Community
  • 1
  • 1
Andy Lester
  • 91,102
  • 13
  • 100
  • 152