Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    Regular Coder
    Join Date
    Aug 2004
    Posts
    111
    Thanks
    0
    Thanked 0 Times in 0 Posts

    MySQL injection prevention code trouble

    In a different forum, I had asked how to secure my mysql queries when using user input, and they replied that this code protects from it.
    PHP Code:
    if(!get_magic_quotes_gpc()){
    function 
    traverse ( &$arr )
    {
    if ( !
    is_array $arr ) )
    return;

    foreach ( 
    $arr as $key => $val )
    is_array $arr[$key] ) ? traverse $arr[$key] ) : ( $arr[$key] = addslashes $arr[$key] ) );
    }
    $gpc = array ( &$_GET, &$_POST, &$_COOKIE );
    traverse $gpc );

    The only thing is Im not very familiar with the php in this code and Im having a hard time deciphering it line by line. I know what the script does when its all done, but im not sure what it wants sent to it and im kinda fuzzy as to what a foreach loop is and what all the ampersands are for.
    Any help is appreciated, Thanks

  • #2
    Regular Coder Element's Avatar
    Join Date
    Jul 2004
    Location
    Lynnwood, Washington, US
    Posts
    855
    Thanks
    2
    Thanked 2 Times in 2 Posts
    ... Why noy just use mysql_real_escape_string() ?

  • #3
    Regular Coder
    Join Date
    Aug 2004
    Posts
    111
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Element
    ... Why noy just use mysql_real_escape_string() ?
    Probably becasue ive never seen that before, thanks.
    I would still like it if someone could explain that code to me though

  • #4
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,108
    Thanks
    11
    Thanked 101 Times in 99 Posts
    Its a recursive function that if magic_quotes_gpc is turned off goes though and addslashes() all GET POST and COOKIE data (you could change that to mysql_real_escape_string() if you wished).

    It also checks if any of the GPC data is itself an array and if so does the same to them, it does that by calling itself, thats the recursive bit.

    Its confusing as the writer seems to like control structures without braces which annoy some and confuse the rest of us
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •