Hi there!
2009/5/6 Igor Escobar <titiolinkin@xxxxxxxxx>
>
> Hi folks,
> Someone know how i can improve this function to protect my envairounment
> vars of sql injection attacks.
>
> that is the function i use to do this, but, some people think is not enough:
>
> * @uses $_REQUEST= _antiSqlInjection($_REQUEST);
> * @uses $_POST = _antiSqlInjection($_POST);
> * @uses $_GET = _antiSqlInjection($_GET);
> *
> * @author Igor Escobar
> * @email blog [at] igorescobar [dot] com
> *
> */
>
> function _antiSqlInjection($Target){
> $sanitizeRules =
> array('OR','FROM,'SELECT','INSERT','DELETE','WHERE','DROP TABLE','SHOW
> TABLES','*','--','=');
> foreach($Target as $key => $value):
> if(is_array($value)): $arraSanitized[$key] = _antiSqlInjection($value);
> else:
> $arraSanitized[$key] =
> addslashes(strip_tags(trim(str_replace($sanitizeRules,"",$value))));
> endif;
> endforeach;
> return $arraSanitized;
>
>
> }
>
> You can help me to improve them?
What if someone posts, in any form of your app, a message containing
"or", "from" or "where"? Those are very common words, and eliminate
them is not the best solution, IMO.
Use mysql_real_escape_string() like Shawn said, possibly something
like this would do the trick (from
http://br2.php.net/manual/en/function.mysql-query.php):
$query = sprintf("SELECT firstname, lastname, address, age FROM
friends WHERE firstname='%s' AND lastname='%s'",
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));
Cheers,
Bruno.
>
>
>
> Regards,
> Igor Escobar
> Systems Analyst & Interface Designer
>
> --
>
> Personal Blog
> ~ blog.igorescobar.com
> Online Portifolio
> ~ www.igorescobar.com
> Twitter
> ~ @igorescobar
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
