SQL Injection Prevention
Moderator: General Moderators
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Ok perfect. I understand it. I am working with $_POST['subject'] kind of data so is it GPC data. Now i should check if magic quotes are on and if it is then use stripslashes()superdezign wrote:Magic quotes only apply to GPC data, and should be stripped from GPC data before you do anything in your program (if magic_quotes is on) and handled manually.
then mysql_real_escape_string() on the data and finally put to db.
Correct?
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Yes, except you should handle GPC data with magic_quotes all at once. I use this in a generic config file that I include:kkonline wrote:Ok perfect. I understand it. I am working with $_POST['subject'] kind of data so is it GPC data. Now i should check if magic quotes are on and if it is then use stripslashes()
then mysql_real_escape_string() on the data and finally put to db.
Correct?
Code: Select all
// Strip slashes from all GPC data
if (get_magic_quotes_gpc()) {
function strip_gpc_slashes(&$array) {
if (!is_array($array)) {
return;
} foreach ($array as $key => $val) {
is_array($array[$key]) ? strip_gpc_slashes($array[$key]) : ($array[$key] = stripslashes($val));
}
}
$gpc = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST, &$_FILES);
strip_gpc_slashes($gpc);
}That means i should just include the above file.. and it will do it's task automatically without me calling the function or something ...superdezign wrote:Yes, except you should handle GPC data with magic_quotes all at once. I use this in a generic config file that I include:kkonline wrote:Ok perfect. I understand it. I am working with $_POST['subject'] kind of data so is it GPC data. Now i should check if magic quotes are on and if it is then use stripslashes()
then mysql_real_escape_string() on the data and finally put to db.
Correct?
Code: Select all
// Strip slashes from all GPC data if (get_magic_quotes_gpc()) { function strip_gpc_slashes(&$array) { if (!is_array($array)) { return; } foreach ($array as $key => $val) { is_array($array[$key]) ? strip_gpc_slashes($array[$key]) : ($array[$key] = stripslashes($val)); } } $gpc = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST, &$_FILES); strip_gpc_slashes($gpc); }
Correct???