what we have done for work, is we turn off magic_quotes_gpc (evil stuff) and in any php script I write for work, I also ini_set magic quotes off, and then we run a safe_query() function
(this code is not proprietary - it's free to use by anyone - it's so simple, anyone could use it anyway.. and it does an *EXCELLENT* job of emulating BIND VARIABLES, and completely eliminating SQL injection...
Code: Select all
function safe_query($query, $values, $link) {
$query_parts = preg_split("/\?/", $query);
$safe_query = array_shift($query_parts);
$needed_values = count($query_parts);
$ii=count($values);
foreach ($values as $value) {
$value = "'" . mysql_escape_string($value) . "'";
$safe_query .= $value.array_shift($query_parts);
}
if (count($query_parts)) {
die ('Query "<i>'.$query.'</i>" needs'.
$needed_values.' values, you only sent '.$ii);
}
return mysql_query($safe_query, $link);
}
//the above function used thusly
$sql = "INSERT INTO table (name,type,desc,whatever) VALUES (?,?,?,?)";
$sql_array = array($name,$type,$desc,$whatever);
$result = safe_query($sql,$sql_array,$db_resource_link);
It works very very well.. I would suggest everyone use it in their code, and forget completely about worrying if magic_quotes_gpc is on, and with some basic cleanup work, no worries about sql injection attacks too
Ive tested this with every possible combination of SQL injection that I could come up with or find on the web, and have yet to find anything to break the query...
If someone can find a way to sql inject something into safe_query, I'd definitely like to know about it
Bri!