Solved

Protection against SQL injection while magic quote is off

Posted on 2007-04-05
9
216 Views
Last Modified: 2012-05-05
If magic quotes is turned off, how can you protect against SQL injection in this case?

I tried this code suggested by security book:

if (get_magic_quotes_gpc()) {
    $input = array(&$_GET, &$_POST, &$_COOKIE, &$_ENV, &$_SERVER);
    while (list($k,$v) = each($input)) {
        foreach ($v as $key => $val) {
            if (!is_array($val)) {
            $input[$k][$key] = stripslashes($val);
            continue;
            }
        $input[] =& $input[$k][$key];
        }
    }
    unset($input);
}

But it didnt do it!

Thanks for your help!
0
Comment
Question by:bprof2007
  • 4
  • 3
  • 2
9 Comments
 
LVL 27

Expert Comment

by:yodercm
ID: 18859537
Pass all your inputs through the function htmlentities with the ENT_QUOTES option.

$safeinput = htmlentities($input,ENT!QUOTES):
0
 
LVL 27

Expert Comment

by:yodercm
ID: 18859541
Sorry for the typo.

$safeinput = htmlentities($input,ENT_QUOTES);
0
 
LVL 28

Expert Comment

by:gamebits
ID: 18859565
You van also use

mysql_real_escape_string()

http://ca.php.net/manual/en/function.mysql-real-escape-string.php
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 27

Expert Comment

by:yodercm
ID: 18859594
Keep in mind that mysql_real_escape_string is for MySQL commands, it is not a general php function that would work for an array.
0
 
LVL 1

Author Comment

by:bprof2007
ID: 18859621
Thanks for the prompt response. I've tried it and it gave me the same results:

test's test ''' test'''

But this is how it should look when magic quotes is on:

test\'s test \'\'\' test\'\'\'
0
 
LVL 28

Expert Comment

by:gamebits
ID: 18859666
0
 
LVL 1

Author Comment

by:bprof2007
ID: 18859723
Thanks gamebits,

I tried

mysql_real_escape_string()

but when magic quotes is off it does NOT work. I mean it gives me this:

test's test ''' test'''

Instead of this:

test\'s test \'\'\' test\'\'\'
0
 
LVL 27

Accepted Solution

by:
yodercm earned 250 total points
ID: 18859771
htmlentities does NOT add slashes into your input.  It changes the string to use the & html codes for all special characters.  That's what makes it so safe and so convenient for things you want to print but still be safe.   So when you print the results, you'll still see the quotes, but if you look in the database for example, you'll see &#34 or &#39.  

http://www.ascii.cl/htmlcodes.htm

0
 
LVL 1

Author Comment

by:bprof2007
ID: 18859834
Thank you yodercm. I need something like that.

Thanks gamebits for your contribution.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Generating table dynamically is the most common issue faced by php developers.... So it seems there is a need of an article that explains the basic concept of generating tables dynamically. It just requires a basic knowledge of html and little maths…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question