Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Protection against SQL injection while magic quote is off

Posted on 2007-04-05
9
Medium Priority
?
221 Views
Last Modified: 2012-05-05
If magic quotes is turned off, how can you protect against SQL injection in this case?

I tried this code suggested by security book:

if (get_magic_quotes_gpc()) {
    $input = array(&$_GET, &$_POST, &$_COOKIE, &$_ENV, &$_SERVER);
    while (list($k,$v) = each($input)) {
        foreach ($v as $key => $val) {
            if (!is_array($val)) {
            $input[$k][$key] = stripslashes($val);
            continue;
            }
        $input[] =& $input[$k][$key];
        }
    }
    unset($input);
}

But it didnt do it!

Thanks for your help!
0
Comment
Question by:bprof2007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 27

Expert Comment

by:Cornelia Yoder
ID: 18859537
Pass all your inputs through the function htmlentities with the ENT_QUOTES option.

$safeinput = htmlentities($input,ENT!QUOTES):
0
 
LVL 27

Expert Comment

by:Cornelia Yoder
ID: 18859541
Sorry for the typo.

$safeinput = htmlentities($input,ENT_QUOTES);
0
 
LVL 28

Expert Comment

by:gamebits
ID: 18859565
You van also use

mysql_real_escape_string()

http://ca.php.net/manual/en/function.mysql-real-escape-string.php
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 27

Expert Comment

by:Cornelia Yoder
ID: 18859594
Keep in mind that mysql_real_escape_string is for MySQL commands, it is not a general php function that would work for an array.
0
 
LVL 1

Author Comment

by:bprof2007
ID: 18859621
Thanks for the prompt response. I've tried it and it gave me the same results:

test's test ''' test'''

But this is how it should look when magic quotes is on:

test\'s test \'\'\' test\'\'\'
0
 
LVL 28

Expert Comment

by:gamebits
ID: 18859666
0
 
LVL 1

Author Comment

by:bprof2007
ID: 18859723
Thanks gamebits,

I tried

mysql_real_escape_string()

but when magic quotes is off it does NOT work. I mean it gives me this:

test's test ''' test'''

Instead of this:

test\'s test \'\'\' test\'\'\'
0
 
LVL 27

Accepted Solution

by:
Cornelia Yoder earned 1000 total points
ID: 18859771
htmlentities does NOT add slashes into your input.  It changes the string to use the & html codes for all special characters.  That's what makes it so safe and so convenient for things you want to print but still be safe.   So when you print the results, you'll still see the quotes, but if you look in the database for example, you'll see &#34 or &#39.  

http://www.ascii.cl/htmlcodes.htm

0
 
LVL 1

Author Comment

by:bprof2007
ID: 18859834
Thank you yodercm. I need something like that.

Thanks gamebits for your contribution.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
The viewer will learn how to count occurrences of each item in an array.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question