Monday, June 27, 2011

Functions for preventing both SQL and XSS injection attacks

Functions for preventing both SQL and XSS injection attacks

<?php
function mysql_entities_fix_string($string)
{
    return htmlentities(mysql_fix_string($string));
}
function mysql_fix_string($string)
{
    if (get_magic_quotes_gpc()) $string = stripslashes($string);
    return mysql_real_escape_string($string);
}
?>

Using placeholders with PHP

Once you have prepared a statement, until you deallocate it, you can use it as often as you wish. Such statements are commonly used within a loop to quickly insert data into a database by assigning values to the MySQL variables and then executing the state-ment. This approach is more efficient than creating the entire statement from scratch on each pass through the loop.

<?php
require 'login.php';
$db_server = mysql_connect($db_hostname, $db_username, $db_password);
if (!$db_server) die("Unable to connect to MySQL: " . mysql_error());
mysql_select_db($db_database)
    or die("Unable to select database: " . mysql_error());
$query = 'PREPARE statement FROM "INSERT INTO classics
    VALUES(?,?,?,?,?)"';
mysql_query($query);
$query = 'SET @author = "Emily Brontë",' .
         '@title = "Wuthering Heights",' .
         '@category = "Classic Fiction",' .
         '@year = "1847",' .
         '@isbn = "9780553212587"';
mysql_query($query);
$query = 'EXECUTE statement USING @author,@title,@category,@year,@isbn';
mysql_query($query);
$query = 'DEALLOCATE PREPARE statement';
mysql_query($query);
?>

How to properly sanitize user input for MySQL

 
The get_magic_quotes_gpc function returns TRUE if magic quotes are active. In that case,any slashes that have been added to a string have to be removed or the function mysql_real_eascape_string could end up double-escaping some characters, creating corrupted strings.

<?php
function mysql_fix_string($string)
{
    if (get_magic_quotes_gpc()) $string = stripslashes($string);
    return mysql_real_escape_string($string);
}
?>