Protect sql injections at the PHP level

Asked Aug 26 '16 at 13:07

Active Aug 26 '16 at 13:07

Viewed 38 times

I have some older code to maintain and I am worried about SQL injections, but I cannot use PDO. I would like instead to have a top level PHP function to examine $_GET and $_POST and stop the script if anything suspicious is found.

What would be a good function to write at this point? For example, I could start with that:

$flag = 0;
$req = array_merge($_GET, $_POST);
foreach ($req as $rx)
{
    if (strpos(strtolower($rx), 'drop ') !== false)
        $flag = 1;
    if (htmlspecialchars($rx,ENT_QUOTES) !== $rx)
        $flag = 1;
....
}

Thanks.

asked Aug 26 '16 at 13:07

Michael Chourdakis

10,345
3
42
78

1

In effect, you want to reinvent the `magic quotes` feature which has been removed from PHP long ago due to fatal inefficiency. – Your Common Sense Aug 26 '16 at 13:12
2

So if $rx contained the perfectly valid "I fancy a drop, want to join me in the pub?" you'd treat it as invalid? – Mark Baker Aug 26 '16 at 13:20
1

You dnt want to use the mysql_real_escape_string() ? – Hassan ALi Aug 26 '16 at 13:20
@HassanALi JFYI, this function is not intended to protect from SQL injection and thus shouldn't be used for this purpose. – Your Common Sense Aug 26 '16 at 13:22
@MarkBaker yes, this is a greek registration database, only greek personal user information is allowed. – Michael Chourdakis Aug 26 '16 at 14:45

Protect sql injections at the PHP level

0 Answers0