[PHP] Protection Against XSS / SQL INJECTIONS

Status
Not open for further replies.

xenogfx

New Member
Oct 24, 2011
24
12
Want to protect your site from xss and sql injections? pass all your $_GET / $_POST vars through this function and you'll remain secure for the rest of your meaning full online life.

PHP:
<?php
 
/**
* @Author Deformed aka XenoGFX
* @Copyright 2012
* @Description Simple XSS / SQL injection protection
*/
 
function mClean($str)
{
    return mysql_real_escape_string(htmlentities($str));
}
 
// Usage
$username = mClean($_POST['username']);
$id = mClean($_GET['id']);
 
?>
 

RastaLulz

fight teh power
Staff member
May 3, 2010
3,934
3,932
To be honest, I'd rather just use MySQLi's bind_param() function to prevent SQL injections, and use htmlentities() when outputting something that may contain HTML. I think that it's vital that you keep the data stored in the database pure, instead of alerting it's original form.

But yes, this is good for newbies who don't quite understand MySQLi yet, I guess.
 

xenogfx

New Member
Oct 24, 2011
24
12
I dont really like mysqli for the fact that i have to prepare each statement and execute it.. makes things more complex then it needs to be.

but yeah its up to the person :)
 

ECode

New Member
Nov 20, 2011
14
2
Never have realised how you can simple do a function and then you don't need to type mysql_real_escape_string all the time again D:!
Thanks, much!
 

Markshall

Русский Стандарт
Contributor
Dec 18, 2010
2,638
2,393
I'm not sure whether this would work, but what about a global file containing something like this:

PHP:
<?php
foreach ( $_POST as $k=>$v )
{
    $_POST[$k] = mysql_real_escape_string( htmlentities( $_POST[$k] ) );
}
 
foreach ( $_GET as $k=>$v )
{
    $_GET[$k] = mysql_real_escape_string( htmlentities( $_GET[$k] ) );
}
?>
 

brsy

nah mang
May 12, 2011
1,530
272
Here's my quick MySQLi Version...
PHP:
<?php public function tClean($str) {
             return $mysqli->real_escape_string(htmlentities($str));
}
?>
 

RastaLulz

fight teh power
Staff member
May 3, 2010
3,934
3,932
Here's my quick MySQLi Version...
PHP:
<?php public function tClean($str) {
            return $mysqli->real_escape_string(htmlentities($str));
}
?>
That is really stupid. MySQLi has a bind_param function built in that prevents SQL injections. All you are doing is distorting your data for no reason.
 

brsy

nah mang
May 12, 2011
1,530
272
I just did a simply MySQLi version... I wanted to just convert it to MySQLi so the people who want to learn MySQLi can learn.
I didn't code it to be efficient, just coded it so people can learn.
 
Status
Not open for further replies.

Users who are viewing this thread

Top