3

Possible Duplicate:
PHP: the ultimate clean/secure function

I found this code snippet here: http://snipplr.com/view/12853/clean-variables-from-sql-injections/

The author claims:

This little function helps to fight common security issue with SQL injections, it can sanitize any global variable like $POST, $GET, $_SERVER etc and escape unsafe characters.

enter image description hereIs this code safe? 

function _clean($str){
  return is_array($str) ? array_map('_clean', $str) : str_replace("\\", "\\\\"
       , htmlspecialchars((get_magic_quotes_gpc() ? stripslashes($str) : $str)
       , ENT_QUOTES));
}

//usage call it somewhere in beginning of your script
_clean($_POST);
_clean($_GET);
_clean($_REQUEST);// and so on..

Please enlighten me whether this is safe, 'cause it looks jury-rigged to me.

Community
  • 1
  • 1
Johan
  • 74,508
  • 24
  • 191
  • 319

4 Answers4

4

Generic code cleaning functions are always a bad idea. They will break your data in one way or the other. Never use them; sanitize data right before it gets used, with the right sanitation method for the intended use.

Duplicate: PHP: the ultimate clean/secure function

Community
  • 1
  • 1
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
0

Just use mysql_real_escape_string if you need to escape special characters for a mysql database. I'd figure other databases support similar functions too.

This snipped tries some silly replaces and may be pretty safe, but could just as well mess up your data too. Why reinvent the wheel?

GolezTrol
  • 114,394
  • 18
  • 182
  • 210
0

Why wouldn't you just use the built-in escaping/parameterizing functionality for your database? I agree with it looking jury-rigged, go with the function built by the people who made the database library.

jaycee
  • 61
  • 1
  • 1
  • 2
0

It's not safe (no addslashes or mysql_real_escape_string there), not optimal in performance too (get_magic_quotes_gpc being called for each variable).

OZ_
  • 12,492
  • 7
  • 50
  • 68