0

I'm a PHP novice, trying to validate HTML form submission via PHP learned in a tutorial.

Code uses mysql_real_escape_string which PHP.net says is deprecated.

Here's an excerpt of that entire section:

/*Cleans an array to protect against injection attacks.*/
function f_clean($array) {
    return array_map('mysql_real_escape_string', $array);
}

What, if anything, should I add or change in the PHP in order maintain this security measure?

gunr2171
  • 16,104
  • 25
  • 61
  • 88
Mark Gavagan
  • 878
  • 12
  • 45
  • This is not a duplicate question, but I agree what I'm asking about is part of at least one answer at (http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). That said, the answers there get so lengthy and complicated (for a novice like me, anyway), they're a bit unwieldy. – Mark Gavagan Sep 17 '15 at 21:37

1 Answers1

0

The updated non-deprecated equivalent of mysql_real_escape_string is mysqli_real_escape_string.

However, mysqli_real_escape_string is not infallible! Even though in most practical cases by the average use, you should take precaution and use it in combination with trim(), parameterized inserts, prepared statements, and strict inputs. There are many questions and resources to help you on this.

q.Then
  • 2,743
  • 1
  • 21
  • 31
  • That's it? I just now confirmed I have have mysql Server version: 5.5.42-cll-lve and Current PHP version: 5.4.432.0 with **PHP extension: mysqli**, so I guess that'll do fine. Thank you! – Mark Gavagan Sep 17 '15 at 21:26
  • I just added the i after mysql, as directed, and upon submitting, the form now returns this error: `Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '( ID int NOT NULL AUTO_INCREMENT, PRIMARY KEY(ID), timestamp int NOT NU' at line 1` – Mark Gavagan Sep 17 '15 at 21:31
  • To follow-up, I removed the `i` and the form submission is working fine again. I'm certainly not an expert, but switching from mysql to mysqli is a somewhat involved process: (http://stackoverflow.com/questions/4598854/how-do-i-migrate-my-site-from-mysql-to-mysqli) – Mark Gavagan Sep 17 '15 at 21:46
  • Your sql syntax is probably wrong then, what is the statement you are escaping? – q.Then Sep 17 '15 at 22:28
  • Here it is: `/*Cleans an array to protect against injection attacks.*/ function f_clean($array) { return array_map('mysql_real_escape_string', $array); }` Thank you. – Mark Gavagan Sep 17 '15 at 23:29
  • 1
    `function return($x) { return mysqli_real_escape_string($x); } array_map('return', $array);` – q.Then Sep 17 '15 at 23:30
  • Hmm. Thank you @Valkyrie, but I don't know whether I'm making progress or falling farther behind. If the function `f_clean` is removed, per your suggested code immediately above, won't other instances where `f_clean` is used, such as `/*This cleans our &_POST array to prevent against SQL injection attacks.*/ $_POST = f_clean($_POST);` become problematic? – Mark Gavagan Sep 18 '15 at 16:09