Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Aye, this one is shorter, but it's not any more correct than the first one. In fact both regexps happily allow quotes and other SQL syntactic characters, and if it weren't for the addslashes (wrong as it is), the script would be wide open for SQL injection.
dhrosti, are you actually testing those things you write? With both valid and invalid input?
Mordred wrote:Aye, this one is shorter, but it's not any more correct than the first one. In fact both regexps happily allow quotes and other SQL syntactic characters, and if it weren't for the addslashes (wrong as it is), the script would be wide open for SQL injection.
dhrosti, are you actually testing those things you write? With both valid and invalid input?
I use that function to filter all input(name, mail, phone) in my web form right before the date inserted into mysql.
It doesn't protect against all forms of SQL injection, if that's what you're asking. Where it notably fails to protect is injections that do not require quotes to taint your query.
As long as you write SQL code with quotes everywhere, and use mysql_real_escape_string() and casting to int for LIMIT values, you are safe from SQL injections. The preg_replace as a security measure is not required (it is not enough either, as it was already demonstrated). Now, as a part of your busyness logic you may want to disallow some characters in some fields, etc etc - THEN you may filter out some characters. Otherwise, from a security POV it's not needed.