Solved

Protection against SQL injection while magic quote is off

Posted on 2007-04-05
9
214 Views
Last Modified: 2012-05-05
If magic quotes is turned off, how can you protect against SQL injection in this case?

I tried this code suggested by security book:

if (get_magic_quotes_gpc()) {
    $input = array(&$_GET, &$_POST, &$_COOKIE, &$_ENV, &$_SERVER);
    while (list($k,$v) = each($input)) {
        foreach ($v as $key => $val) {
            if (!is_array($val)) {
            $input[$k][$key] = stripslashes($val);
            continue;
            }
        $input[] =& $input[$k][$key];
        }
    }
    unset($input);
}

But it didnt do it!

Thanks for your help!
0
Comment
Question by:bprof2007
  • 4
  • 3
  • 2
9 Comments
 
LVL 27

Expert Comment

by:yodercm
ID: 18859537
Pass all your inputs through the function htmlentities with the ENT_QUOTES option.

$safeinput = htmlentities($input,ENT!QUOTES):
0
 
LVL 27

Expert Comment

by:yodercm
ID: 18859541
Sorry for the typo.

$safeinput = htmlentities($input,ENT_QUOTES);
0
 
LVL 28

Expert Comment

by:gamebits
ID: 18859565
You van also use

mysql_real_escape_string()

http://ca.php.net/manual/en/function.mysql-real-escape-string.php
0
 
LVL 27

Expert Comment

by:yodercm
ID: 18859594
Keep in mind that mysql_real_escape_string is for MySQL commands, it is not a general php function that would work for an array.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Author Comment

by:bprof2007
ID: 18859621
Thanks for the prompt response. I've tried it and it gave me the same results:

test's test ''' test'''

But this is how it should look when magic quotes is on:

test\'s test \'\'\' test\'\'\'
0
 
LVL 28

Expert Comment

by:gamebits
ID: 18859666
0
 
LVL 1

Author Comment

by:bprof2007
ID: 18859723
Thanks gamebits,

I tried

mysql_real_escape_string()

but when magic quotes is off it does NOT work. I mean it gives me this:

test's test ''' test'''

Instead of this:

test\'s test \'\'\' test\'\'\'
0
 
LVL 27

Accepted Solution

by:
yodercm earned 250 total points
ID: 18859771
htmlentities does NOT add slashes into your input.  It changes the string to use the & html codes for all special characters.  That's what makes it so safe and so convenient for things you want to print but still be safe.   So when you print the results, you'll still see the quotes, but if you look in the database for example, you'll see &#34 or &#39.  

http://www.ascii.cl/htmlcodes.htm

0
 
LVL 1

Author Comment

by:bprof2007
ID: 18859834
Thank you yodercm. I need something like that.

Thanks gamebits for your contribution.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now