PHP/MySQL injection

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi all,

Im a newbee in PHP and MySQL. Im wondering if there is a standard  
combination of functions u should use on variabels psoted by a form  
before u add them to a database. Something like:

$var = trim(addslashes($_POST['test']));


Re: PHP/MySQL injection

Quoted text here. Click to load it

Usually it goes like:  

1-) Retrieve values from the $_POST array..

$clean = array();

// we are expecting foo to be an integer..
if (isset($_POST['foo']) && $_POST['foo'] ==
  $clean['foo'] = $_POST['foo'];

2-) Build your query...
$sql .= "foo='" . mysql_real_escape_string($clean['foo']) . "'";

More info at
You might want to consider a class to generate the SQL...
You might want to consider a DBMS that supports prepared statements...

Met vriendelijke groeten,
Tim Van Wassenhove <

Re: PHP/MySQL injection

That's a very good question and also a suggestion Willem,  Even me,   I
do look sometimes for that kinda function on my development. However,
I do believe there's a reason why a built-in function like that doesnt
exist.  It 's just to prevent a lockout to a certain function
considering not all requirements doesn't support  that solution. "or
you'll end up looking for a function that does this but does not do
that".  however, creating a standard function for that based upon the
foundation of YOUR requirement  will help your project and projects to

Here's some list to include  in your function:

     checking the existence of the variable
     checking the variable type, eg. Is it numeric, a boolean value or
a string?
     checking the length
     specifying a the response url if the condition above was not
     then return the value of the requested parameter.

Well, its up to you on what you'll gonna be including on your function.
Take some time to code for it, you'll see the benefit (And the
problems!) soon when you use it.


Re: PHP/MySQL injection

Quoted text here. Click to load it

This is what I use:

Feel free to use it.  It also handles (hopefully) cross scripting (aka  
someone taps some javascript into the field for the next sucker to run).

Available for Hire!

Re: PHP/MySQL injection

Scott Auge wrote:

Quoted text here. Click to load it

So, if I want to do something starting from scratch, I strip out HTML tags,
semi-colons and quotes I am killing off a fair amount of vandalism.  This
would involve checking both form fields and stuff from the end of urls (I
can never remember the correct term of variables passed there).

Not crucial, as my application is only used by myself and is not publically
accessable, but it would be nice to have a bit of a go.

Suppose if I were expecting alpha numeric stuff (including hyphen) a regular
expression on [ 0-9a-zA-Z-]* would not be a bad place to start.



Re: PHP/MySQL injection

Willem-Jan wrote:

Quoted text here. Click to load it



Re: PHP/MySQL injection

On Tue, 26 Jul 2005 09:22:31 +0100, Colin McKinnon

Quoted text here. Click to load it

 Yep, or use a library that emulates placeholders, despite MySQL (production
versions, anyway) not supporting them natively - ADOdb is my favourite. The
correct escaping is then done consistently by the library, saving you from
introducing a problem by the one time you forget to use mysql_escape_string().

< Space: disk usage analysis tool

Site Timeline