LCKB ** OLD LCKB DATABASE ** Programmers Gateway Coders Talk v
PHP mysql_* commands and safe them.

Threaded Mode
PHP mysql_* commands and safe them.
SeaLife Offline
Member
***
Posts: 79
Threads: 8
Thanks Received: 0 in 0 posts
Thanks Given: 0
Joined: Oct 2011
Reputation: 0
#1
01-11-2013, 05:25 PM

Hello!

 

Im Building my own Web Site (Demo: 2 ) and i wand to know how to make

 

mysql_query( $sql_query ) safe

 

 

im working with These Commands:

 

 

GetGet('q');

function GetGet($STRING) {
if(!isset($_GET[$STRING])) {
$return = "";
} else {
$return = sql_inj($_GET[$STRING]);
}
return $return;
}

GetPost('post:name');

function GetPost($STRING) {
if(!isset($_POST[$STRING])) {
$return = "";
} else {
$return = sql_inj($_POST[$STRING]);
}
return $return;
}

sql_inj( $string );

function sql_inj($sql) {
error_reporting (E_ALL ^ E_NOTICE ^E_DEPRECATED);
$sql = preg_replace(sql_regcase("/(from|<|>|'|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql);
$sql = trim($sql);
$sql = strip_tags($sql);
$sql = addslashes($sql);
$sql = htmlspecialchars($sql);
return $sql;
}

 

 

and now tell me, if i execute this, if it Safe:

mysql_query("UPDATE t_characters SET a_admin = ('".GetGet('adminlvl')."') WHERE a_nick = ('".GetGet('nick')."');");

 

 

 

 

THX

Find
Wizatek Offline
Posting Freak
*****
Posts: 768
Threads: 40
Thanks Received: 0 in 0 posts
Thanks Given: 0
Joined: May 2011
Reputation: 0
#2
01-13-2013, 12:31 AM
Just learn to use PDO, then u dont need to worry about safe or not, and the code looks a lot nicer also

Find
mord Offline
Junior Member
**
Posts: 4
Threads: 0
Thanks Received: 0 in 0 posts
Thanks Given: 0
Joined: Jan 2013
Reputation: 0
#3
01-13-2013, 02:09 AM

2 <- your best options and PDO is usually the best way to go
Find
Wizatek Offline
Posting Freak
*****
Posts: 768
Threads: 40
Thanks Received: 0 in 0 posts
Thanks Given: 0
Joined: May 2011
Reputation: 0
#4
01-14-2013, 05:20 AM
2
Find
SeaLife Offline
Member
***
Posts: 79
Threads: 8
Thanks Received: 0 in 0 posts
Thanks Given: 0
Joined: Oct 2011
Reputation: 0
#5
01-22-2013, 04:30 PM

But i wont to rewrite my Script because, this script have over 100+ mysql_query commands :O only uses this trim commands to be safe >.<

 

 

And i only want to know, if this would be safe ^^

Find
Wizatek Offline
Posting Freak
*****
Posts: 768
Threads: 40
Thanks Received: 0 in 0 posts
Thanks Given: 0
Joined: May 2011
Reputation: 0
#6
01-22-2013, 08:15 PM
php doesnt declare the complete mysql_ commands deprecated for no reason. 

Find
Samker132
Unregistered
 
#7
02-08-2013, 10:32 PM

Encrypt your passwords and remove all specialchars from the username and the same at the email but there you need to allow this chars "@._-".

function clean_str($str) //function to clean strings
{
$str = @trim($str);
if(get_magic_quotes_gpc())
{
$str = stripslashes($str);
}
$str = preg_replace("/[^a-zA-Z0-9]/" , "" , $str);
return $str;
} // Ende Clean String

use this function for your usernames and for emails change the

$str = preg_replace("/[^a-zA-Z0-9]/" , "" , $str);to$str = preg_replace("/[^a-zA-Z0-9@._\-]/" , "" , $str);
 

Greets


Forum Jump:


Users browsing this thread: 1 Guest(s)