0

I normally use the below function to sanitize my form inputs and get values. But this is suddenly stopped working and understand that get_magic_quotes_gpc() feature has been removed from PHP since version 5.4. and cannot enable or configure it anymore, it is permanently set to "off". Right now i'm using PHP 5.6, can somebody suggest me a function like this to sanitise data and prevents SQL injection.

function clean($str) {
    $str = @trim($str);
    if(get_magic_quotes_gpc()) {
        $str = stripslashes($str);
    }
    return mysql_real_escape_string($str);
}
Barry
  • 3,303
  • 7
  • 23
  • 42
Lucky13
  • 11,393
  • 7
  • 25
  • 36
  • 4
    I'd strongly recommend the usage of prepared statements within the PDO context and move on from the mysql_* functions. Also, mysql_* was also removed in PHP 7, only leaving PDO and mysqli_* behind. – KhorneHoly Oct 19 '18 at 08:47
  • `get_magic_quotes_gpc` that's a throwback, I remember those days. Best to avoid magic quotes. `5.4.0 Always returns FALSE because the magic quotes feature was removed from PHP.` - http://php.net/manual/en/function.get-magic-quotes-gpc.php – ArtisticPhoenix Oct 19 '18 at 08:49
  • As magic quotes were removed, you can just get rid of the `if` and are basically left with `mysql_real_escape_string()`. But this API has also been deprecated and removed in PHP 7. As the support for PHP 5 ends at the end of this year, this would be a good point to migrate to PHP 7 and PDO. – Karsten Koop Oct 19 '18 at 08:51
  • I really couldn't resist the urge. This reminds me of that gieco commercial "Do you live under a rock" and imagining that when the guy pops out from under the rock and looks at the billboard. And the billboard reading "Still using magic quotes?" – CecilMerrell aka bringrainfire Oct 19 '18 at 09:16

3 Answers3

1

mysql_real_escape_string option would only make sense for legacy code on an old version of PHP and if you are not thinking of upgrading MySQL version.

function clean($str) {
    $str = @trim($str);
    return mysql_real_escape_string($str);
}

Recommended: Upgrade MySQL version to latest one. Use parameterized queries/prepare statements. Here you will find helpful discussion.

Dinesh Belkare
  • 639
  • 8
  • 24
0

If you are not using PDO (highly recommended to use), you should use mysqli_* functions. And in it you have mysqli_real_escape_string() function to sanitize user inputs. And you can also utilize filter_var() function to filter the inputs.

Abhishek
  • 372
  • 1
  • 6
  • 13
0

I highly recommend upgrading to php7.2

To answer you question though, using htmlspecialchars() function will covert special characters into html.

http://php.net/manual/en/function.htmlspecialchars.php

example htmlspecialchars()

<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;
?>

Although it's more common to use htmlentities() since it will convert a wider range of characters.

http://php.net/manual/en/function.htmlentities.php

example htmlentities()

<?php
$str = "A 'quote' is <b>bold</b>";

// Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt;
echo htmlentities($str);

// Outputs: A &#039;quote&#039; is &lt;b&gt;bold&lt;/b&gt;
echo htmlentities($str, ENT_QUOTES);
?>
CecilMerrell aka bringrainfire
  • 704
  • 6
  • 19