3

I'm trying to figure out how to prevent sqlinjection, I wrote this basic function : function 

antiInjectie($inputfromform){
    $temp = str_replace("'", "`",$inputfromform);
    $temp = str_replace("--", "~~",$temp);
    return htmlentitites($temp);
}

However someone told me to also take hex values in consideration, but how do I do this?

Update I'm stuck with MDB2 and pgsql

Cœur
  • 37,241
  • 25
  • 195
  • 267
Lucas Kauffman
  • 6,789
  • 15
  • 60
  • 86

4 Answers4

6

Bobby-Tables has a good guide to preventing SQL injection.

In short: Don't twiddle with the input yourself, use database API methods that allow bound parameters.

Cœur
  • 37,241
  • 25
  • 195
  • 267
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • 1
    Bobby tables is not a "great link." – Darth Egregious Dec 17 '15 at 14:57
  • Engaging example showing why the problem is a problem? Check. Explanations of how to deal with the problem in a variety of languages? Check. Invitation to supply improvements or report issues? Check. Seems pretty great here. – Quentin Dec 17 '15 at 14:59
2

With MDB2 you can do the same as with PHP’s native PDO abstraction that was proposed in related question Best way to stop SQL Injection in PHP. You can either use a prepared statement with prepare and execute or by quoting and inserting the values manually.

Community
  • 1
  • 1
Gumbo
  • 643,351
  • 109
  • 780
  • 844
2

Use pg_query_params(), the most easy function to avoid SQL injection using PHP and PostgreSQL.

Frank Heikens
  • 117,544
  • 24
  • 142
  • 135
1

First, don't write any escapting function yourself. They're very likely to be broken and the database library is very likely to contain a proper one. For mysql you can use mysql_real_escape_string.

A much better longterm solution though is not to create your full query as text, but rather use prepared queries and pass the values during execution. For mysql, check the mysqli extension.

viraptor
  • 33,322
  • 10
  • 107
  • 191