Injection Prevention – looping mysql_real_escape_string()

Most of my sites I build use MySQL and PHP. Most of the sites are interactive and need input from users. This opens up a big security hole where hackers can use a simple ploy called a SQL Injection and insert some nasty code. In the blog post MySQL Tutorial – SQL Injection covers the mysql_real_escape_string() PHP command which helps reduce the risk.

Building on top of this a nice foreach loop will help with the process:
[cc lang=”PHP”]
foreach ($_POST as $key => $value){
$_POST[$key]=mysql_real_escape_string($value);
}
[/cc]
or
[cc lang=”PHP”]
foreach ($_GET as $key => $value){
$_GET[$key]=mysql_real_escape_string($value);
}
[/cc]
The above two snippets cycle through the sent data and escapes the escapes.

While this doesn’t 100% protect your site it sure helps.

Advertisements

One comment

  1. Pingback: PHP Password Salt and Pepper using sha1 MD5 Hash | Create My - eCommerce and Web Design Hornsby - eCommerces and Web Design Sydney


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s