MySQL Injection Prevention

keith_at_1stDNS

I am looking for the best MySQL Post Injection proofing control.

Currently I use

function inputclean($data) {
	// Strip all HTML from the input
	$data = strip_tags($data);

// Stripslashes
if (get_magic_quotes_gpc()) {
	$data = stripslashes($data);
}

// Quote if not a number or a numeric string
if (!is_numeric($data)) {
	$data = "'" . mysql_escape_string($data) . "'";
}

return $data;
}

I know there are better more secure ways of checking input just difficult to know what function to use?

Any help would be great.

Thanks

MarkR

Stripping tags from the input does not prevent SQL injection, however it does corrupt potentially valid input by removing tags that you might have wanted.

The solution in every case is to use the appropriate escaping function, at the time that you do the query.

Parameterised queries are even better.

There is no magic bullet, you can't iterate $_POST or anything, because you won't know at that point what is going to be done with stuff.

This is what magic_quotes_gpc does, and it incorrectly escapes things that don't need escaping, resulting in massive annoying data corruption.

Mark

Moharo

Try escaping potentially unwanted SQL commands:

function escape_sql_commands($string)
{
return eregi_replace("ALTER|DROP|DELETE|REPLACE","",$string);
}

🙂

Roger_Ramjet

The problem SQL Injection Attacks
The solution mysql real escape string

Use the solution on ALL query input no matter where it comes from, not just user form input but also cookies and url params as these are very easy to manipulate.

bradgrafelman

As MarkR said, using a function like [man]springf/man and working with the data at the time of the query is the most ideal solution, because you know what the data should look like and can therefore take special steps to clean it up.

For example, if you're expecting a numeric amount for a field, use something like [man]intval/man. Or, if you don't want HTML used, use something like [man]strip_tags/man, etc. etc.

suntra

mysql_real_escape_string() should be used instead of mysql_escape_string() because it takes in consideration the locale used for the connection...

MarkR

Escaping "potentially unwanted SQL commands" is pretty useless because it will corrupt your data, and won't prevent injections.

It will however, stop legitimate English text from going through correctly.

Mark