[Cabbage]

Just wrote this and thought I'd throw it up here, I know I'm not that active anymore but if I can help out in any way that's a plus .

http://thisismedia.c...njection-in-ph/

[webdesigner93]

Cabbage, on 28 March 2011 - 12:59 PM, said:

Just wrote this and thought I'd throw it up here, I know I'm not that active anymore but if I can help out in any way that's a plus .

http://thisismedia.c...njection-in-ph/

Very nice topic, but technally a simple function as below would prevent injections quite well

function clean_data($data){

global $mysqli;

return mysqli_real_escape_string(trim(htmlentities($data,ENT_QUOTES,'UTF-8')));

}

then use that on any data going into mysql

also filtering things that require int only to int only

$id = $_GET['id'];
$id = preg_replace('#[^0-9]#i', '', $id);

This post has been edited by webdesigner93: 28 March 2011 - 01:27 PM

[Cabbage]

webdesigner93, on 28 March 2011 - 01:26 PM, said:

Very nice topic, but technally a simple function as below would prevent injections quite well

function clean_data($data){

global $mysqli;

return mysqli_real_escape_string(trim(htmlentities($data,ENT_QUOTES,'UTF-8')));

}

then use that on any data going into mysql

also filtering things that require int only to int only

$id = $_GET['id'];
$id = preg_replace('#[^0-9]#i', '', $id);

I was going to write about casting to integers etc but I'm trying to keep it simple. Add it to the tutorial in the comments if you wish, might help someone using it .

[webdesigner93]

Cabbage, on 28 March 2011 - 01:48 PM, said:

I was going to write about casting to integers etc but I'm trying to keep it simple. Add it to the tutorial in the comments if you wish, might help someone using it .

I will deff do that u should write more blog post, i noticed u don't have many seems like a cool blog that i'd read if it had more post

[Cabbage]

webdesigner93, on 28 March 2011 - 02:14 PM, said:

I will deff do that u should write more blog post, i noticed u don't have many seems like a cool blog that i'd read if it had more post

Well at work we've been asked to blog a few times a week so the company appears more social. Should be able to keep a regular blog and get paid for the pleasure .

[Avera]

Cabbage, on 28 March 2011 - 12:59 PM, said:

Just wrote this and thought I'd throw it up here, I know I'm not that active anymore but if I can help out in any way that's a plus .

http://thisismedia.c...njection-in-ph/

Well written article. However, just use PHP PDO. PDO binding does this for you and with pdo binding SQL injections are near on impossible.

[webdesigner93]

Avera, on 29 March 2011 - 08:54 PM, said:

Well written article. However, just use PHP PDO. PDO binding does this for you and with pdo binding SQL injections are near on impossible.

I think personally prepared statements are a lazy way of doing things, and can also get people out of the habit of filtering there data properly, not just for sql statements but for app security in general, plus mysql_real_escape_string does a good job of preventing most sql injects without the extra work of binding params ect..