Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6

Thread: SQL injection

  1. #1
    New Coder
    Join Date
    Dec 2007
    Posts
    96
    Thanks
    8
    Thanked 1 Time in 1 Post

    SQL injection

    Hi everybody
    I want to write a function to protect me from sql injection, so I can call it in every $_GET .
    my $_GET is always an integer number ,I started with this function :
    PHP Code:
    function valid_id($id){
       if (
    preg_match ("/^([0-9]+)$/"$id)){
    (int)
    intval($id);
     
    htmlspecialchars($id);
       
    mysql_real_escape_string($id);
       
       
           return 
    $id;
       } else {
            return 
    '0';
       }


    But the problem is it doesnt scape single quotes and if I insert a word it shows normally, I want the function to remove any letter and prevent any sql injection
    can anybody help me out to write this function??

  • #2
    Senior Coder
    Join Date
    Sep 2005
    Posts
    1,791
    Thanks
    5
    Thanked 36 Times in 35 Posts
    mysql_real_escape_string, htmlspecialchars and intval all return a value, they don't change the variable you pass to it, so you'll need to assign the result of calling it to something - you may as well keep using $id:
    PHP Code:
    function valid_id($id) {
      if (
    preg_match ("/^([0-9]+)$/"$id)){ 
        
    $id intval($id); 
        
    $id mysql_real_escape_string($id); 
        return 
    $id
      } else { 
        return 
    '0'
      }

    You'll notice also that I took out the htmlspecialchars call, there's no need to run this on data going in to the database, it's intended for use on data being displayed as HTML.
    My thoughts on some things: http://codemeetsmusic.com
    And my scrapbook of cool things: http://gjones.tumblr.com

  • Users who have thanked GJay for this post:

    skmd (01-10-2008)

  • #3
    Senior Coder shyam's Avatar
    Join Date
    Jul 2005
    Posts
    1,563
    Thanks
    2
    Thanked 163 Times in 160 Posts
    just curious...isn't the mysql_real_escape_string call redundant if intval already returns an integer?
    You never have to change anything you got up in the middle of the night to write. -- Saul Bellow

  • #4
    New Coder
    Join Date
    Dec 2007
    Posts
    96
    Thanks
    8
    Thanked 1 Time in 1 Post
    aha, thank you
    as I can see from you is the htmlspecialchars used when retriving data from mysql, is that right ?
    but is that enough to prevent entering an appropriate data to the database?
    Last edited by skmd; 01-10-2008 at 01:16 AM.

  • #5
    Senior Coder kbluhm's Avatar
    Join Date
    Apr 2007
    Location
    Philadelphia, PA, USA
    Posts
    1,509
    Thanks
    3
    Thanked 258 Times in 254 Posts
    It looks as though you are only casting all-numeric strings as integers. If there are any non-numeric characters, then you return 0 as a string. Here is a simplified solution for you:
    PHP Code:
    function valid_id$id )
    {
        return 
    ctype_digit$id ) ? ( int ) $id '0';

    Last edited by kbluhm; 01-10-2008 at 03:18 PM.

  • #6
    glz
    glz is offline
    New Coder
    Join Date
    Apr 2007
    Posts
    57
    Thanks
    3
    Thanked 0 Times in 0 Posts
    Yes regex is not necessary in this case but I still noticed this:
    /^([0-9]+)$/

    ^ and $ don't act as anchors unless you add the m modifier
    so change it to:
    /^([0-9]+)$/m


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •