0

I have to remove hazardous chracter from my query post string. Is there any function define in php to remove directly or another way ?

Ajay
  • 9
  • 2
  • possible duplicate of [Best way to defend against mysql injection and cross site scripting](http://stackoverflow.com/questions/568995/best-way-to-defend-against-mysql-injection-and-cross-site-scripting) – Quentin Jun 01 '10 at 13:22
  • 1
    what do you mean by **query post string**? – Sarfraz Jun 01 '10 at 13:22
  • You need to define this a little better before we can help you. There are two questions I have 1) What are you doing with the user input - what is 'hazardous' when putting the user's input in HTML is different than what is 'hazardous' when using the input as part of a MySQL query. 2) Where are you getting the user data from? The query string ($_GET), the POST body ($_POST), or somewhere else? – MtnViewMark Jun 01 '10 at 13:23

5 Answers5

1

First thing first what do you use these strings for ?

  • If you store them in a database : use parameterized queries (use mysqli or PDO instead of mysql).
  • If you display them in a webpage : use htmlspecialchar to filter HTML code
  • If you use it to redirect the user to some page : filter \n and \r character
  • If you use it to send emails : filter \n and \r characters too
  • If you want to avoid CSRF : don't forget to check the random token you'll have put in your form
  • If you use it to get the path to a file on your system : don't
  • Whatever you do, don't forget to use the filter_input function to get your data as it handle the magic_quotes

Don't forget to check the OSWAP top 5

Arkh
  • 8,416
  • 40
  • 45
  • So, I guess that's the result from some security audit, and it got you on some SQL injection. As said, use PDO or mysqli (if your rdbm is Mysql) with parameterized queries. Good luck. – Arkh Jun 01 '10 at 14:57
0

I hope you aren't putting sql queries into a GET string... but whatever.

If this is for a query, use mysql_real_escape_string.

Tesserex
  • 17,166
  • 5
  • 66
  • 106
0

In normally for this, we can use addslashes and stripslashes in php.

But better method is to use mysql_real_escape_string for query to avoid this type of sql injection.

Karthik
  • 3,221
  • 5
  • 28
  • 38
0

Filter the input?

jeroen
  • 91,079
  • 21
  • 114
  • 132
0

Use strip_tags(), htmlspecialchars() and htmlentities().

Florent
  • 12,310
  • 10
  • 49
  • 58
Aziz
  • 300
  • 1
  • 4