|
Posted by Curtis on 02/12/07 07:09
JM Ivler wrote:
> Is there really any time when I don't want to run every _POST and _GET
> through mysql_real_escape_string() before I use that data in accessing
> the database?
>
> In other words, is there a good reason why I shouldn't have a function
> that walks through the POST[] and GET[] arrays and processes the
> mysql_real_escape_string() function against the data in order to ensure
> that there will be no attempts to do an SQL inject?
>
> My thinking is that this function could be run at the top of my page
> init and in doing so it will ensure that there can be no sql injection.
> Am I missing something "very bad" that this could do instead?
>
>
> function cleanall()
> {
> foreach($_POST as $key => $val)
> {
> $_POST[$key] = stripslashes(strip_tags(htmlspecialchars($val,
> ENT_QUOTES)));
> $$key = stripslashes(strip_tags(htmlspecialchars($val, ENT_QUOTES)));
> }
> foreach($_GET as $key => $val)
> {
> $_GET[$key] = stripslashes(strip_tags(htmlspecialchars($val, ENT_QUOTES)));
> $$key = stripslashes(strip_tags(htmlspecialchars($val, ENT_QUOTES)));
> }
> }
Integers should be validated with either an (int) cast or the intval()
function.
[Back to original message]
|