I just inherited a big project and I have to re-secure, it is written in code-igniter (php), unfortunately it is too late to do PDO and binding for the whole thing, it is built on mysqli. So I am thinking of using hooks to pre-process (input sanitize) the post and get requests before they get to the controllers (basically do string escaping etc) any ideas, recommendations about that?
Thx. Mike.
Pre-processing $_GET and $_POST is the idea behind PHP's Magic Quotes feature. It turned out to be a bad idea, so PHP deprecated it and finally removed it in PHP 7.0. It was a bad idea because it attempts to be a one-size-fits-all solution, and that doesn't account for many legitimate cases when you don't want your form inputs pre-processed.
It's not too late to use parameterized queries if the current app is built on mysqli, it's just going to take some work.
You don't have to switch to PDO. You can do parameter binding with mysqli too. See example in the docs for mysqli_prepare(), or this popular Stack Overflow answer: How can I prevent SQL injection in PHP?
For what it's worth, at my previous job I converted the admin module for a PHP app from old "mysql" API to use PDO, using parameter binding for all dynamic values. It didn't take long, about half a day. I modified database calls in fewer than 100 files. It helped a lot to create one helper function that takes an SQL string and an array, and it would run PDO prepare() and execute() and fetchAll(), handling errors properly for each step.
$resultSet = QueryWithParams($sqlQuery, $paramArray);
If you do continue using string-escaping, use mysqli_real_escape_string(). Don't try to write your own function to do escaping.
