PHP mysql_* commands and safe them. - Printable Version +- LCKB (https://lckb.dev/forum) +-- Forum: ** OLD LCKB DATABASE ** (https://lckb.dev/forum/forumdisplay.php?fid=109) +--- Forum: Programmers Gateway (https://lckb.dev/forum/forumdisplay.php?fid=196) +---- Forum: Coders Talk (https://lckb.dev/forum/forumdisplay.php?fid=192) +---- Thread: PHP mysql_* commands and safe them. (/showthread.php?tid=1502)

- SeaLife - 01-11-2013 Hello!   Im Building my own Web Site (Demo: 2 ) and i wand to know how to make   mysql_query( $sql_query ) safe     im working with These Commands:     GetGet('q'); function GetGet($STRING) { if(!isset($_GET[$STRING])) { $return = ""; } else { $return = sql_inj($_GET[$STRING]); } return $return; } GetPost('post:name'); function GetPost($STRING) { if(!isset($_POST[$STRING])) { $return = ""; } else { $return = sql_inj($_POST[$STRING]); } return $return; } sql_inj( $string ); function sql_inj($sql) { error_reporting (E_ALL ^ E_NOTICE ^E_DEPRECATED); $sql = preg_replace(sql_regcase("/(from|<|>|'|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql); $sql = trim($sql); $sql = strip_tags($sql); $sql = addslashes($sql); $sql = htmlspecialchars($sql); return $sql; }     and now tell me, if i execute this, if it Safe: mysql_query("UPDATE t_characters SET a_admin = ('".GetGet('adminlvl')."') WHERE a_nick = ('".GetGet('nick')."');");         THX - Wizatek - 01-13-2013 Just learn to use PDO, then u dont need to worry about safe or not, and the code looks a lot nicer also - mord - 01-13-2013 2 <- your best options and PDO is usually the best way to go - Wizatek - 01-14-2013 2 - SeaLife - 01-22-2013 But i wont to rewrite my Script because, this script have over 100+ mysql_query commands :O only uses this trim commands to be safe >.<     And i only want to know, if this would be safe ^^ - Wizatek - 01-22-2013 php doesnt declare the complete mysql_ commands deprecated for no reason.  - Samker132 - 02-08-2013 Encrypt your passwords and remove all specialchars from the username and the same at the email but there you need to allow this chars "@._-". function clean_str($str) //function to clean strings { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } $str = preg_replace("/[^a-zA-Z0-9]/" , "" , $str); return $str; } // Ende Clean String use this function for your usernames and for emails change the $str = preg_replace("/[^a-zA-Z0-9]/" , "" , $str);to$str = preg_replace("/[^a-zA-Z0-9@._\-]/" , "" , $str);   Greets