Tech mysql_real_escape_string question - GoFuckYourself.com

Publisher Bucks · 08-11-2022, 08:39 AM

Is there a snippet of code that I can use to automatically secure any form input on a page to the SQL database without the need of placing mysql_real_escape_string on every field to check?

Does that make sense?

redwhiteandblue · 08-11-2022, 08:56 AM

Try this, it may or may not work....

It should run through all the values in the $_POST array and make a new array with sanitized values.

Code:

$sanitized_post = [];
$dbc = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);

foreach($_POST as $key => $value)
{
	$sanitized_post[$key] = $dbc->real_escape_string($value);
}

k0nr4d · 08-11-2022, 09:29 AM

Code:

<?php
$_POST = mysqli_real_escape_array($dblink,$_POST); 

function mysqli_real_escape_array($dblink, $data) {
    if (is_array($data)) {
        foreach ($data as $key => $value) {
            $data[$key] = mysqli_real_escape_array($dblink, $value);
        }
        return $data;
    } else {
        if (!is_numeric($data)) {
            return mysql_real_escape_string($dblink,$data);
        } else {
            return $data;
        }
    }
}
?>

Klen · 08-11-2022, 09:33 AM

I am using htmlspecialchars and so far it is working fine. But it does not hurt to put extra steps to harden security.

k0nr4d · 08-11-2022, 09:40 AM

Quote:

Originally Posted by Klen

I am using htmlspecialchars and so far it is working fine. But it does not hurt to put extra steps to harden security.

That's not enough to stop sql injection. htmlspecialchars is enough for XSS.

redwhiteandblue · 08-11-2022, 09:43 AM

Quote:

Originally Posted by Klen

I am using htmlspecialchars and so far it is working fine. But it does not hurt to put extra steps to harden security.

htmlspecialchars is meant more for output to an HTML document, and in any case htmlentities does a better job of that.

Klen · 08-11-2022, 10:39 AM

Quote:

Originally Posted by k0nr4d

That's not enough to stop sql injection. htmlspecialchars is enough for XSS.

Well, i did added some additional sanitation steps as when tested against sql injections was working fine. Either way, code need to be tested against it regardless what methods are used.

Publisher Bucks · 08-11-2022, 10:59 AM

Awesome, thanks everyone

machinegunkelly · 08-11-2022, 08:29 PM

Quote:

Originally Posted by Publisher Bucks

Awesome, thanks everyone

I still feel like you should just say fuck it and grab a frame work.

I get wanting to 'learn php' but .. do you want to learn to churn butter? or how a sun dial works, perhaps you want to sow seeds with an ox?

Why waste so much time learning php, when a framework takes all the pain out of it.

i'll tell you right now as a hiring manager, old school PHP devs are discarded because they cant learn modern 'php'

LaSexorcisto · 08-11-2022, 09:53 PM

Quote:

Originally Posted by machinegunkelly

I still feel like you should just say fuck it and grab a frame work.

I get wanting to 'learn php' but .. do you want to learn to churn butter? or how a sun dial works, perhaps you want to sow seeds with an ox?

Why waste so much time learning php, when a framework takes all the pain out of it.

i'll tell you right now as a hiring manager, old school PHP devs are discarded because they cant learn modern 'php'

I would agree with that statement only if the following are true:

1) His end goal is to work as an "employee" in some 9-5 rat race job making someone else rich and keeping up with other employees to make the corporate boss happy.
2) He has no interest in learning the basic building blocks of the language. (Like if you want to learn how to work on car engines to build your own hotrod, fuck it just buy a Tesla and buy the dealer upgrades instead)

Quote:

Why waste so much time learning php, when a framework takes all the pain out of it.

Then that's just learning the framework not the language.

If that's the case, then one could easily say why learn a framework when Wordpress, Joomla, or Drupal takes the pain out of it.

k0nr4d · 08-12-2022, 12:21 AM

Quote:

Originally Posted by machinegunkelly

i'll tell you right now as a hiring manager, old school PHP devs are discarded because they cant learn modern 'php'

When I'm hiring I have the opposite. If the guy can't invent the wheel from scratch I don't want him. Too many guys apply that only know zend framework or only know laravel or only know codeignitor but don't actually know REALLY know PHP

Klen · 08-12-2022, 12:48 AM

Quote:

Originally Posted by k0nr4d

When I'm hiring I have the opposite. If the guy can't invent the wheel from scratch I don't want him. Too many guys apply that only know zend framework or only know laravel or only know codeignitor but don't actually know REALLY know PHP

Where do i apply ?

08-11-2022, 08:39 AM	#1
Publisher Bucks Confirmed User Industry Role: Join Date: Oct 2018 Location: New Orleans, Louisiana. / Newcastle, England. Posts: 1,126	mysql_real_escape_string question Is there a snippet of code that I can use to automatically secure any form input on a page to the SQL database without the need of placing mysql_real_escape_string on every field to check? Does that make sense? __________________ SOMETHING EXTREME IS COMING SOON!

08-11-2022, 08:56 AM	#2
redwhiteandblue Bollocks Industry Role: Join Date: Jun 2007 Location: Bollocks Posts: 2,792	Try this, it may or may not work.... It should run through all the values in the $_POST array and make a new array with sanitized values. Code: $sanitized_post = []; $dbc = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); foreach($_POST as $key => $value) { $sanitized_post[$key] = $dbc->real_escape_string($value); } __________________ Interserver unmanaged AMD Ryzen servers from $73.00

08-11-2022, 10:59 AM	#8
Publisher Bucks Confirmed User Industry Role: Join Date: Oct 2018 Location: New Orleans, Louisiana. / Newcastle, England. Posts: 1,126	Awesome, thanks everyone __________________ SOMETHING EXTREME IS COMING SOON!

08-11-2022, 09:33 AM	#4
Klen Industry Role: Join Date: Aug 2006 Location: Little Vienna Posts: 32,235	I am using htmlspecialchars and so far it is working fine. But it does not hurt to put extra steps to harden security.