SQL Injection problem

AndreF

Hello,

I wrote a code like this:

function fetch_database($fetch_info){

global $db_host, $db_user, $db_pass, $db_name, $results, $num;

                            $link = mysql_connect($db_host, $db_user, $db_pass) or die ("<font class=\"warning\">Couldn't connect to the database!<br>". mysql_errno() . " : " . mysql_error()."</font>");

      mysql_select_db($db_name, $link) or die ("<font class=\"warning\">Could not select database!<br>". mysql_errno() . " : " . mysql_error()."</font>");

                            $query = mysql_query($fetch_info, $link) or die ("<font class=\"warning\">Could'nt update the information.<br>". mysql_errno() . " : " . mysql_error()."</font>");

                           if (mysql_num_rows($query) > 0 ){
                                      $num = mysql_num_rows($query);
                                      $results = array();
                                      while ($row = mysql_fetch_assoc($query)) {
                                      $results[] = $row;
                                      }
                           }

                            mysql_close($link);

return true;
}

This code gets $db_host, $db_user, $db_pass, $db_name variables from config.php file by globaling them.

wherever in my code I could have:
$fetch_info = "SELECT*FROM table";
fetch_database($fetch_info);

by calling this function I can pass a query and get an associative array from results in $results array. then I can have for example $results[0][username] etc. the first dimention is row number. second dimention is coloumn name.

as you can see this code is still vulnerable for SQL Injection attack.

so I wrote this one where I want to pass a query to this function:

$link = mysql_connect($db_host, $db_user, $db_pass) or die ("Couldn't connect to the database!<br>". mysql_errno() . " : " . mysql_error());

    if(get_magic_quotes_gpc()) {
        $username        = stripslashes($_POST['username']);
    } else {
        $username        = $_POST['username'];
    }

$fetch_info = sprintf("SELECT admin_id, admin_pswrd, permission FROM admin WHERE admin_user_name = '%s'", mysql_real_escape_string($username, $link));
fetch_database($fetch_info);

it works fine but as you can see this code is not yet professionally written.

Can anyone re-write this as a class or function in a very professional way, that I can pass any $POST thing to it? we won't know what is the key and value of $POST so I think first we should parse the array and run stripslasshes if gpc is on then re-make it as an array to pass to the code, also we won't know how many $_POST thing we have that we would know how many real_escale_string is necessary there.

so the only solution is coding it as a class rather than function, but I don't know OOP. can anyone help me re-conding it? I'll appreciate your time.

Regards,

Scriptmaker

http://www.php.net/mysql_real_escape_string

function CleanArray($array) {
foreach ($array as $key => $value) {
$array[$key] = mysql_real_escape_string($value);
}
return $array;
}

Usage: $POST = CleanArray($POST);

http://snipplr.com/view.php?codeview&id=2511

function mysql_real_escape_array($t){
    return array_map("mysql_real_escape_string",$t);
}

Usage: $POST = mysql_real_escape_array($POST)

AndreF

Thank you, I made this function, however it works fine but for sure, please review it from professional coding viewpoint. I'll appreciate your time.

function CleanParamArray($array) {

         global $db_host, $db_user, $db_pass, $db_name;

         if (get_magic_quotes_gpc()) {
             foreach ($array as $key => $value) {
                      $array[$key] = stripslashes($value);
            }
        }

        $link = mysql_connect($db_host, $db_user, $db_pass) or die ("Couldn't connect to the database!<br>". mysql_errno() . " : " . mysql_error());

        return array_map("mysql_real_escape_string",$array);

        mysql_close($link);

}
// end of function

    $_POST = CleanParamArray($_POST);

    $fetch_info = "SELECT admin_id, admin_pswrd, permission FROM admin WHERE admin_user_name = '$_POST[username]'";
    fetch_database($fetch_info);

first, with CleanParamArray we create a safe $POST or even $GET array then with that safe array we make the query as $fetch_info then pass it to fetch_databse function to run the sql, the source of fetch_databse is in my last post.

Please review it then let me know what do you think of this coding?

AndreF

another question:
why not using addslashes instead of real_escape_string?

simply something like this:

function CleanParamArray($array) {

         if (!get_magic_quotes_gpc()) {
             foreach ($array as $key => $value) {
                      $array[$key] = addslashes($value);
             }
         }

return $array;
}

because of my coding structure isn't this one better? in my last post, once we should connect to db to use real_escape_string and again connecting to run the query. so isn't it this one better for me to run db connecting once to make the code faster?

any feedback please?