0

Many days ago, my friend read this question: How can I prevent SQL injection in PHP?. And, I know that there are many good answers to solve this problem.

I have a friend, who is working with PHP better than me. Yesterday, he said to me: "There are many good answers, in here. But, can you write other code for solving this problem?".

He still uses PHP 4; so, he do not like to use any mysqli_ function, not me.

So, I have created a simple function, in PHP:

<?php

function MyFun($MyVar)

{
    if(!get_magic_quotes_gpc()) { $MyVar = addslashes($MyVar); }

    $MyVar = strip_tags($MyVar);
    $MyVar = htmlentities($MyVar);

    return trim($MyVar);

}

?>

I used my function in every $_POST[]; or $_GET[];, for instance:

$Var1 = MyFun($_POST['Txt1']);
$Var2 = MyFun($_GET['Txt2']);

My friend said that: "It can not prevent any SQL injection.". I do not think so.

Can you tell me: "Is it safe to prevent SQL injection, with this function?".

Community
  • 1
  • 1
16ctt1x
  • 321
  • 6
  • 21
  • 1
    So... your friend is so vehemently against using what actually works that he wants to re-invent the wheel and write his own SQLi function? I'm sure that will end well. – Siyual Aug 10 '16 at 14:14
  • 3
    The function is trying to do a lot more than trying to prevent SQL injection, wrapped in a check for the deprecated magic quotes setting; it's sanitising values as well, and looks like something written for PHP4. The standard and recommended method to prevent SQL injection is to use prepared statements with bind variables, so why not do that instead – Mark Baker Aug 10 '16 at 14:15
  • @MarkBaker, Yes, I wrote it for *PHP 4*. – 16ctt1x Aug 10 '16 at 14:16
  • Note that escaping quotes and other characters is database-specific, so this generic approach won't work with all databases, and there are ways of forcing "bad" values through an addslashes, and nor do you necessarily need to include faked quotes in a SQL statement to inject bad SQL – Mark Baker Aug 10 '16 at 14:16
  • Are you still running your application under PHP4? – Jerbot Aug 10 '16 at 14:18
  • Why don't you like mysqli or PDO? And why are you still using PHP4? – simon Aug 10 '16 at 14:18
  • @SuperJer, Yes, he do not want to work with *PHP 5*. – 16ctt1x Aug 10 '16 at 14:18
  • @YeuSeChia It is recommended that he take a good look at what it would take to run his application under an updated and maintained framework, instead of writing his own security 'patches' for deprecated libraries. – Jerbot Aug 10 '16 at 14:21
  • 1
    I know it's your friend but if he (1) doesn't want to use mysqli and (2) doesn't want to work with anything past PHP4, I'm not so sure I would use his advice as guidance on how to secure applications. Sorry. – BeetleJuice Aug 10 '16 at 14:24
  • 3
    I'd be far more concerned that your friend refuses to use a version above php 4 which was EOL'd almost 10 years ago. Talk of security should start with keeping updated libraries. – castis Aug 10 '16 at 14:25
  • How can anyone want to use an old version in development? Sorry, but if your friend prefers to use the old version, you may be better programmer than he if you prefer the newer version.Now, to answer your question, this function protects you in part, and I do not see much need to use htmlentities(), particularly, I do not like. And about the devoted in your question, must be because of your friend's preference, not the question itself, I dont know. (sorry for my bad english). – Lucas Martins Aug 10 '16 at 14:42
  • The function above will not sanitize a string like `1 or 1=1`, which could be used to inject into a query like `select * from t where id=$var`. – Scovetta Jan 17 '17 at 09:12
  • i believe your friend is not so good at php if he insists on using v4 – RozzA Apr 28 '17 at 07:26

0 Answers0