0

I need make security system in php application. I have problem with that, because this project is very big and haven't any security. In all queries somebody use $_POST variables without e.g mysql_real_escape_string. Changing each query to PDO or MySQLi will take a lot of time. I know that this is the best way, but Can I protect code generally - in core of application. e.g. :

foreach ($_POST as $name => $data)
{
    $_POST[$name] = mysql_real_escape_string($data);
}

foreach ($_GET as $name => $data)
{
    $_GET[$name] = mysql_real_escape_string($data);
}

I read that this idea is stupid in this topic

Community
  • 1
  • 1
Ruben Lech
  • 125
  • 12
  • 1
    FWIW, modifying `$_REQUEST` alone would be simpler than `$_POST` and `$GET` separately, and you get `$_COOKIE` for free – Drakes Jun 24 '15 at 09:27
  • It depens on where the data is used. If it's used for example by direct output (echo $_GET['foo']), you need to protect it against XSS with strip_tags for example. – sanderbee Jun 24 '15 at 09:37
  • I'm very sorry, and I feel bad to point this out, but the link you posted does go into detail about your question. Thank you for bringing up the topic of sanitization again. It's easy to overlook. – Drakes Jun 24 '15 at 09:41
  • Please don't use `mysql_real_escape_string()`. Use [prepared statements to stop SQL injection](https://paragonie.com/blog/2015/05/preventing-sql-injection-in-php-applications-easy-and-definitive-guide), and escape only when rendering output to [prevent XSS attacks](https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know). – Scott Arciszewski Jun 24 '15 at 12:51

1 Answers1

0

It's a good thing you know mysql is deprecated, but since you still want to use it, I can help you with the way I did mine.

I usually create a function for stripping, trimming and escaping inputs and outputs.

So: 

function sanitizer ($input)
{
    return mysql_real_escape_string (htmlspecialchars(trim($input)));          
}

Then before any input or output I used to pass the fields through the function.

$name = sanitizer($_POST['name']);

And that's all. I hope it helped.

Gideon Appoh
  • 678
  • 1
  • 6
  • 15
  • I don't get you, what do you mean by in-place methods. – Gideon Appoh Jun 24 '15 at 09:41
  • 2
    + This collection of fucntions is a total overkill. Just choose the right function for your usecase, when handling with databases just use the escape-function of the database-api, when you are displaying user input just use htmlentities or htmlspecialchars. Use trim only when you really want to trim etc. – Philipp Jun 24 '15 at 09:47
  • @drakes I have editted the function to suite your needs – Gideon Appoh Jun 24 '15 at 09:52
  • @GideonAppoh I'm not the OP. ;) (Just to clarify, something like [sort()](http://php.net/manual/en/function.sort.php) is an in-place function, but [trim()](http://php.net/trim) is not.) – Drakes Jun 24 '15 at 10:16
  • Really, but you can use trim() as in-place too, read more about that. – Gideon Appoh Jun 24 '15 at 10:25
  • 1
    @GideonAppoh I think you're mistaken, `trim` cannot be used in-place. See here: http://ideone.com/Fe8apM – Jim Jun 24 '15 at 10:34
  • Thanks Jim, but I have been seeing these codes alot from professionals – Gideon Appoh Jun 24 '15 at 10:48