0

I'm using following function to protect my db from injection attacks and etc. for gets.

function filter($data) {
    global $db;
    $data = trim(htmlentities(strip_tags($data)));
    if (get_magic_quotes_gpc())
        $data = stripslashes($data);

    $data = $db->real_escape_string($data);

    return $data;
}

foreach($_GET as $key => $value) {
    $data[$key] = filter($value);
}

Question is, i want to filter not only $_GET but $_POST too. How to do that?

And can I reassign value to $_GET or $_POST after filtering? I mean $_GET[$key] = filter($value); instead of $data[$key] = filter($value);..

hakre
  • 193,403
  • 52
  • 435
  • 836
Tural Ali
  • 22,202
  • 18
  • 80
  • 129

4 Answers4

6

Don't pre-escape your variables, escape them only at the time you need to escape them.

  • If you prematurely escape your variable, you'll never know which variable is escaped, and which is not
  • You'll have to unescape your variables before doing string manipulations, and re-escape them after
  • Variables coming from different sources (like from an API, from a file or even from your database) won't be escaped. You'll forget to escape them.
  • You'll have to un-escape all your variables before printing them (you don't want to print the \', I guess)
  • You can't escape a variable for every possible situation. What about escaping them with escapeshellcmd too ?

PHP did this in the past. It was called magic_quotes_gpc.

But it's so bad practice that it's now deprecated, and it will be removed from the next version of PHP.

It's better to just escape everything at the time you need to. You print a variable ? escape it. You don't have to remember if it's already escaped or not: it's not.

Community
  • 1
  • 1
Arnaud Le Blanc
  • 98,321
  • 23
  • 206
  • 194
1

this function makes no sense.
and it doesn't filter anything.
and shouldn't be used this way.

to protect your db from injection attacks you shouldn't do most of the things present in this function and should do many things not present there.

to protect only strings (data chunks enclosed in quotes) from injection attacks you have to use $db->real_escape_string and nothing else.
to protect other query parts you have to use other procedures, as real_escape_string become utterly useless for them

to protect your app from "etc attacks" you have to define what is this "etc" first.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
0
array_walk($_GET,'filter');
array_walk($_POST,'filter');
array_walk($_COOKIE,'filter');
sathia
  • 2,192
  • 2
  • 24
  • 42
  • you can put it wherever you want, probably on your config file. when this function is parsed, for each element of your _GET _POST _COOKIE array you will run the filter function you have defined. php.net/array_walk – sathia Sep 19 '11 at 16:53
  • while I agree that the function he made is pretty useless and most probably wrong, the guy didn't ask "how do I correctly escape variables", he asked "how to reassign values to _GET _POST" with his function. nonetheless i agree that he shouldn't put that code anywhere. – sathia Sep 19 '11 at 17:02
  • 1
    so, he asks how to shoot himself in a leg. and you jump to help. Thank you, mr. Good Samaritan – Your Common Sense Sep 19 '11 at 17:16
-1

You should probably filter the $key too in case you use it in the query later, but if possible you should use mysql prepared statements and bind variables.

http://www.ultramegatech.com/blog/2009/07/using-mysql-prepared-statements-in-php/

You can change $_GET and $_POST.

Bluewind
  • 1,054
  • 7
  • 10