3

I'm currently reading and learning PHP from a book that offers this as the proper way to sanitize input from forms:

function mysql_entities_fix_string($connection, $string) 
{
return htmlentities(mysql_fix_string($connection, $string));
}

function mysql_fix_string($connection, $string)
{
  if (get_magic_quotes_gpc()) $string = stripslashes($string);
  return $connection->real_escape_string($string);
}

Which is great, except I know that get_magic_quotes_gpc() is deprecated in the current version of PHP. From looking at a few different resources I learned that instead of using get_magic_quotes_gpc() I should just use an sql prepared statement. That confuses me though because I would presume that we still need to do some functional cleaning of the string.

Unless I'm wrong(it happens, I'm relatively new at this) this is a big no-no, regardless of the prepared statement:

$username = $_POST['username'];
$stmt = $conn->prepare("SELECT password FROM users WHERE username=?");
$stmt->bind_param("s", $username");
$stmt->execute();
...

but if that's the case, is this an acceptable sanitation process:

function get_post($conn, $var) {
return $conn->real_escape_string($_POST[$var]);
}
...
$username = get_post($conn, 'username');
$stmt = $conn->prepare("SELECT password FROM users WHERE username=?");
$stmt->bind_param("s", $username);
$stmt->execute();
...

or do I need to add some other escaping function on top of it?

DeltaFlyer
  • 461
  • 2
  • 8
  • 17
zfrisch
  • 8,474
  • 1
  • 22
  • 34
  • 1
    Using the prepared statement don't do any of that other stuff. – AbraCadaver Jun 28 '16 at 18:55
  • 3
    Prepared statements negate the need for this kind of sanitizing. You can still check for other things you don't want to include in the data, but you don't have to protect the query itself from it. The reason people had to "sanitize" data was because they would concatenate it directly into the query, thereby treating that data *as executable code*. Prepared statements with query parameters don't tread the value as code, so the problem becomes moot. – David Jun 28 '16 at 18:57
  • 3
    Burn that book with napalm and get your money back. – PeeHaa Jun 28 '16 at 18:57
  • 1
    Dunno why user @zfrisch didn't name the book they were using. It's "Learning PHP, MySQL & JavaScript" by Robin Nixon (I know because I'm here after pondering this question while reading the book); one of the top rated PHP books on Amazon. If they were specific about which book, this question _shouldn't_ be marked a duplicate and instead would serve as clarification to current and future readers of aforementioned book from experienced PHP users on an important issue the book isn't totally clear about. – DeltaFlyer Jan 05 '19 at 06:21
  • 1
    @DeltaFlyer well, it is the question title :) – zfrisch Jan 05 '19 at 22:21

1 Answers1

2

Uh no. That sanitization code is garbage.

Your proposed sanitization process with PDO statements is fine. That is all you need.

Mulan
  • 129,518
  • 31
  • 228
  • 259
  • 2
    What more needs to be said? – Mulan Jun 28 '16 at 18:57
  • Thanks naomik. That's exactly what I needed to know. Judging by the backlash in the comments I'll probably start looking for a newer book lol. This one's from november of 2014, so I didn't think it could be THAT off. – zfrisch Jun 28 '16 at 19:00
  • 4
    Using external resources would greatly increase the quality of your answer. Explaining why of things might also cause the same effect. Anyway, that's just what I took from [how-to-answer](http://stackoverflow.com/help/how-to-answer) ^^ – FirstOne Jun 28 '16 at 19:02