Posted: Tue Feb 27, 2007 5:59 am
Very good point, I've just started using that now. PHP 5 has a very nifty feature for this, the foreach iterator can be used to modify superglobals (probably not good practice)Mordred wrote:jolinar, your function is fine, but it is not enough. All data should be mysql_real_escape_string()-ed before putting it in a mysql_query(). If you have to stop and think if your check was enough, this means it's not enough.
Your function is about validation, which is a part of the code logic level. SQL Injection is an attack on the syntax level, and should be stopped by syntactical means. Proper escaping is one, writing SQL statements with proper syntax is another, and Kureigu did neither.
Btw, after $pword = md5($_POST['pword']); $pword is safe enough, on the code logic level it is fine. But remember what I told you - if you have to stop and think if it's enough, then it's not enough! Good coding practice dictates that you escape it as well.
Code: Select all
foreach($_GET as &$tmp) {
$tmp = mysql_escape_string($tmp);
}
foreach($_POST as &$tmp) {
$tmp = mysql_escape_string($tmp);
}The problem suggested was that if I forgot to scan/escape the input then it would be vulnerable to a SQL injection attack. This approach scans EVERYTHING in $_GET and $_POST before the rest of the program even touches those variables.
Since this is a PHP5 specific feature, I've had to include a check at the start of the program that stops it and displays a version error if it detects anything<5 (In case I accidentally load it on to a machine running PHP4)