?
Solved

escaping input into db

Posted on 2009-07-13
4
Medium Priority
?
189 Views
Last Modified: 2012-05-07
Is the following function good enough to make sure my php app doesn't get hacked?
also will this allow html to be displayed corretly?
its for CMS so its has to deal with just about any kind of input.
function db_escape($values, $quotes = true) {
    if (is_array($values)) {
        foreach ($values as $key => $value) {
            $values[$key] = db_escape($value, $quotes);
        }
    }
    else if ($values === null) {
        $values = 'NULL';
    }
    else if (is_bool($values)) {
        $values = $values ? 1 : 0;
    }
    else if (!is_numeric($values)) {
        $values = mysql_real_escape_string($values);
        if ($quotes) {
            $values = '"' . $values . '"';
        }
    }
    return $values;
}

Open in new window

0
Comment
Question by:casit
  • 2
  • 2
4 Comments
 
LVL 4

Expert Comment

by:Xemorph
ID: 24846203
It looks fine to me.  I think it will prevent any SQL injection attacks, I don't know about making your app hack proof.

I would add cases for int or float and use intval() and floatval().  Just to cover all cases.
0
 

Author Comment

by:casit
ID: 24846225
and do what with them?
0
 
LVL 4

Accepted Solution

by:
Xemorph earned 1500 total points
ID: 24846247

function db_escape($values, $quotes = true) {
    if (is_array($values)) {
        foreach ($values as $key => $value) {
            $values[$key] = db_escape($value, $quotes);
        }
    }
    else if ($values === null) {
        $values = 'NULL';
    }
    else if (is_bool($values)) {
        $values = $values ? 1 : 0;
    }
    else if (!is_numeric($values)) {
        $values = mysql_real_escape_string($values);
        if ($quotes) {
            $values = '"' . $values . '"';
        }
    }
 
    // ADD THIS
    else if(is_float($values){
        $values = floatval($values);
    }
    else
        $values = intval($values);
    }
 
    // End with an else so we have a case for all possiable inputs.
    // If you find another possiable input, add it to the else if list.
    // I would always end on an else though, incase you did 
    // miss something
 
    return $values;
}

Open in new window

0
 

Author Comment

by:casit
ID: 24876494
thanks
0

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After a recent Outlook migration from a 2007 to 2010 environment, some issues with Distribution List owners were realized. In this article, I explain how that was rectified.
This article explains how to move an Exchange 2013/2016 mailbox database and logs to a different drive.
The viewer will learn how to count occurrences of each item in an array.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

599 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question