I created two simple functions to filter inserted data before it's entered into a mysql query.
For formfields (I am also using regular expressions to check each field individually.
// Form filter
function filter($var)
{
// HTML is not allowed
$var = strip_tags(trim($var));
// Check magic quotes and stripslashes
if(get_magic_quotes_gpc())
{
$var = stripslashes($var);
}
// Not using it right now, is it recommended?
// $var = htmlentities($var, ENT_QUOTES);
// Escape
$var = mysql_real_escape_string($var);
// Return
return $var;
}
Then for id's (sent in the URL) I am using this filter:
// ID filter
function idfilter($idfilter)
{
// Delete everything except numbers
$idfilter = ereg_replace("[^0-9]", "", $idfilter);
// Round numbers
$idfilter = round($idfilter);
// Test if the input is indeed a number
if(!is_numeric($idfilter) || $idfilter % 1 != 0)
{
$idfilter = 0;
}
// Filter using the formfilter (above)
return filter($idfilter);
}
Are there suggestions to add or strip from these simple functions? And is it "safe"?
You're using deprecated function as magic_quotes and ereg_*. To prevent Sql injection you should use prepared statement (I suggest to use PDO) and to prevent XSS you should use strip_tags() as you're doing.
Use parameters in your queries instead of concatenating string.
Filters and cleaners are usually not safe enough.
If you are using integer ids idFilter() can be safely stripped down to
function idfilter($idfilter) {
return (int)$idfilter;
}
As others have suggested, using parametrized queries is the right way to go though.
来源:https://stackoverflow.com/questions/8413412/is-this-a-safe-way-to-filter-data-and-prevent-sql-injection-and-other-attacks