[PHP] Protection Against XSS / SQL INJECTIONS

xenogfx · Jan 26, 2012

Want to protect your site from xss and sql injections? pass all your $_GET / $_POST vars through this function and you'll remain secure for the rest of your meaning full online life.

PHP:

<?php
 
/**
* @Author Deformed aka XenoGFX
* @Copyright 2012
* @Description Simple XSS / SQL injection protection
*/
 
function mClean($str)
{
    return mysql_real_escape_string(htmlentities($str));
}
 
// Usage
$username = mClean($_POST['username']);
$id = mClean($_GET['id']);
 
?>

RastaLulz · Jan 27, 2012

To be honest, I'd rather just use MySQLi's bind_param() function to prevent SQL injections, and use htmlentities() when outputting something that may contain HTML. I think that it's vital that you keep the data stored in the database pure, instead of alerting it's original form.

But yes, this is good for newbies who don't quite understand MySQLi yet, I guess.

xenogfx · Jan 27, 2012

I dont really like mysqli for the fact that i have to prepare each statement and execute it.. makes things more complex then it needs to be.

but yeah its up to the person

ECode · Jan 28, 2012

Never have realised how you can simple do a function and then you don't need to type mysql_real_escape_string all the time again D:!
Thanks, much!

Markshall · Jan 28, 2012

I'm not sure whether this would work, but what about a global file containing something like this:

PHP:

<?php
foreach ( $_POST as $k=>$v )
{
    $_POST[$k] = mysql_real_escape_string( htmlentities( $_POST[$k] ) );
}
 
foreach ( $_GET as $k=>$v )
{
    $_GET[$k] = mysql_real_escape_string( htmlentities( $_GET[$k] ) );
}
?>

xenogfx · Jan 28, 2012

Good Idea.

brsy · Jan 29, 2012

Here's my quick MySQLi Version...

PHP:

<?php public function tClean($str) {
             return $mysqli->real_escape_string(htmlentities($str));
}
?>

RastaLulz · Jan 29, 2012

Twizt said:
Here's my quick MySQLi Version...

PHP:

<?php public function tClean($str) { return $mysqli->real_escape_string(htmlentities($str)); } ?>

That is really stupid. MySQLi has a bind_param function built in that prevents SQL injections. All you are doing is distorting your data for no reason.

brsy · Jan 30, 2012

I just did a simply MySQLi version... I wanted to just convert it to MySQLi so the people who want to learn MySQLi can learn.
I didn't code it to be efficient, just coded it so people can learn.

[PHP] Protection Against XSS / SQL INJECTIONS

xenogfx

New Member

RastaLulz

fight teh power

xenogfx

New Member

ECode

New Member

Markshall

Русский Стандарт

xenogfx

New Member

brsy

nah mang

RastaLulz

fight teh power

brsy

nah mang

Users who are viewing this thread

Latest posts

Connect with us

Newest members