2

i wanted to protect my website from sql injections and other possible risks, so i changed all my sql queries by adding for each variable something like this :

 $getLid = htmlspecialchars($_GET[lid], ENT_QUOTES);

For my 50 files... But i have just seen that it might be my mistake : i should have added mysql_real_escape_string for any "input"...

Is it still better to use mysql_real_escape_string in this case, or the ENT_QUOTES works also? Do i have to restart again and add mysql_real_escape_string instead of my htmlspecialchars(..., ENT_QUOTES); ?

Edit :

Do you mean something like that?

$getLid = escape_string($str);

function escape_string($str){
    return mysql_real_escape_string($str);
}

Edit n°2 : the return statement does not work properly, would you know why?

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in … www/escape_file.php

Access denied for user in … www/escape_file.php

Thanks

Community
  • 1
  • 1
Paul
  • 6,108
  • 14
  • 72
  • 128
  • Your first mistake is to use `ext/mysql.` Read "How do I make my database queries secure from SQL injection?" on http://stackoverflow.com/tags/php/info. – alexn Jul 31 '12 at 18:59
  • @alexn : thanks, any other ideas about my question? – Paul Jul 31 '12 at 19:27

1 Answers1

1

There are a lots of references to secure user inputs. You can Google it, but I think you should write a class or a function in another php file like "escape.php" and then include that file to all of your 50 files. then use that for escaping. exmple:

include 'escape.php';
$str = escape_string($str);

So you can change your escaping function so easy just with changing a single file. I hope it will help you.

Siamak Motlagh
  • 5,028
  • 7
  • 41
  • 65
  • thanks do you mean something like in my edit? (my post above) – Paul Jul 31 '12 at 20:01
  • yeah. but you should write this code to another file and include it. then you can change all of your files by changing just a single file. – Siamak Motlagh Jul 31 '12 at 20:06
  • argh... thanks ok, ENT_QUOTES cannot somehow replace escape_string? if i have no choice, i'll replace all my files... – Paul Jul 31 '12 at 20:51
  • They are used for completely different things. htmlspecialchars() converts special HTML characters into entities so that they can be output without problems (or a risk of XSS), while mysql_real_escape_string() escapes sensitive SQL characters so interpolated queries can be performed without the risk of SQL injection. [Htmlspecialchars Or Mysql_real_escape_string](http://w3schools.invisionzone.com/index.php?showtopic=30091) – Siamak Motlagh Jul 31 '12 at 21:03
  • hi Siamak.A.M, sorry, but there is a problem with the return statement, it does not work properly, as in my edit above, would you have any idea about this? Thanks – Paul Aug 02 '12 at 03:23
  • 1
    Note that mysql must be a valid, open connection. This is needed because the escaping depends on the character set in use by the server. look at this links: [mysql_real_escape_string](http://dev.mysql.com/doc/refman/5.1/en/mysql-real-escape-string.html) - [A MySQL connection is required before using mysql_real_escape_string](http://stackoverflow.com/questions/812779/mysql-real-escape-string-completely-removes-string) – Siamak Motlagh Aug 02 '12 at 08:36