PHP: If this function can anti - sql injection?

If this function can anti - sql injection?

function anti_sql_injection($query,$dblink) {
            $query= @trim($query);
            if(get_magic_quotes_gpc()) {
                  $query= stripslashes($query);
            }
            return mysql_real_escape_string($query,$dblink);
}

Thank you!
LVL 1
bxglxbxglx2000Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Loganathan NatarajanLAMP DeveloperCommented:
yes, it will do, and make sure you should have $dblink
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ludwig DiehlSystems ArchitectCommented:
if u check the result of ur function u will notice that the given query will not be executed as it will return a malformed query

eg:

given: UPDATE form SET field1='a',field2='b' WHERE id=1;
returns: UPDATE form SET field1=\'a\',field2=\'b\' WHERE id=1;

So you can now do the following:

1. use ur anti_injection for each value u are going to update or insert and the build your query
2. Parse ur query and escape only the values. Using preg_match to validate your query format would be a choice.

By the way u should also use htmlentities to convert HTML tags




 
0
mcbSolutionsCommented:
There is also a possibility to inject your sql by the union keyword.

In my code the use of semi colon and the the UNION keyword are not allowed.
/** Tests the given query for sql injection
 *
 * @param $query        Query to test
 * @param $unionAllowed Only set to true when no vary are used in query!!!
*/
function query_test($query, $unionAllowed = false)
{
   if(!$unionAllowed)
   {
      $tmp = str_replace(array("union"),
                         array(""),
                         strtolower($query));

      if(strlen($tmp) != strlen($query))
         return false;
   }
   $tmp = preg_replace(array("/'(.*?)'/s","/\\\'/s", "/\"(.*?)\"/s"),
                       array(          "",       "",             ""),
                       trim($query));

   $pos = strpos($tmp, ";");

   $res = $pos === false || $pos == strlen($tmp)-1;

   if(!$res)
      ReportError($query, "not passed!", __METHOD__, __METHOD__, "sql");

   return $res;

}

/** Executes sql_query 
 *
 * @param string $query			The query to execute
 * @param string $method		__METOHOD__ of the caller (to find bugs)
 * @param bool 	 $unionAllowed  Determines if the UNION keyword is allowed
 * @return mixed Array or false
 */
function query($query, $method, $unionAllowed = false)
{
   if(query_test($query, $unionAllowed))
   {
      $res = mysql_query($query);
      if($res === false)
         ReportError($query, mysql_errno()." ".mysql_error(), __METHOD__, __METHOD__, "sql");
      else
         return $res;
   }

   return false;
}

Open in new window

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.