1

I have a function that checks user input and wanted to know if it prevents against all attacks of this sort. Also, if I wanted to include this function on each page that needed it could I put it in a php page of its own then 'include()' it into them pages where it's required. Thanks.

function secure_data($value)
{
if (get_magic_quotes_gpc()) {
    $value = stripslashes($value);
}
if (function_exists("mysql_real_escape_string" )) {
    $value = mysql_real_escape_string($value);
} else {
    $value = addslashes($value);
}
return $value;
}
Andy Lobel
  • 3,356
  • 9
  • 31
  • 40
  • The key in your question lies in explaining by what you mean by "Attacks of this sort". If you know which sorts - you can better research how to protect against them.. – Arend Dec 30 '11 at 01:47
  • What are you trying to protect? It may seem that you are trying to protect against SQL injection. If that is the case you should rather just use PDO. – Audun Larsen Dec 30 '11 at 01:48

1 Answers1

2

Since you're using quotes, I'm assuming that your main question is how to protect against SQL injections, if I'm not mistaken. (Note: securing against SQL-injection is something else then securing against for example Cross Site Scripting!); and will not guarantee you a secure application.

The best solution for SQL injection is not to use this function, but to use prepared statements with either mysqli or PDO. (See: How can I prevent SQL injection in PHP? )

Other interesting links:

Background information on sql injection: https://www.owasp.org/index.php/SQL_Injection

Other validation: http://www.faqs.org/docs/gazette/superglobals.html

Input validation from OWASP: https://www.owasp.org/index.php/Input_Validation

Community
  • 1
  • 1
Arend
  • 3,741
  • 2
  • 27
  • 37