[PHP/MySQL] MySQL Exploit Prevention

Hi, I'm currently working on a new system for my website which will use a MySQL database. Usually I don't like using MySQL because I don't know how to secure it properly. So far by reading some stuff on the PHP website I have managed to slap together two functions called MakeSafe and MakeReadable. MakeSafe is run on all $_GET and $_POST data before entering it into the database, and MakeReadable is run on all data returned from the database before outputting it to the screen.

Basically what I'd like to know is whether or not this is secure against SQL exploits.

Code:

---

function MakeSafe($string, $dbcon)
{
        // Get rid of HTML
        $string = htmlentities($string);
       
        // Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON.
        if(get_magic_quotes_gpc()) {
            if(ini_get('magic_quotes_sybase')) {
                $string = str_replace("''", "'", $string);
            } else {
                $string = stripslashes($string);
            }
        }

        // Make a safe string
        $string = mysql_real_escape_string($string, $dbcon);
               
        return $string;
}

---

Code:

---

function MakeReadable($string)
{
        $string = stripslashes($string);
               
        // Fix anything that htmlentities broke
        $str = array("£");
        $rep = array("£");
        $string = str_replace($str, $rep, $string);
               
        return $string;
}

---

Thanks.

Actually, all you need is mysql_real_escape_string() and something to remove wildcard characters (% and _) if so desired (not necessary if e.g. you want to allow for a search form or similar)

No, actually you -do- need htmlentities if you are going to place something on a website, and you do -not- need to replace wildcard characters if you use simple string compares in your queries.

So yes, above mentioned functions are save. Note that makesave requires a database instance and that its duplicating it, which in itself is a crappy way to code.

All in all seems like a PHP noob who only vaguely knew what he was doing wrote that.

What I generally use:

PHP Code:

---


  /****
    checkvar(& mixed variable) converts a variable into something save to put into your database.
  ****/
function checkVar(&$variable) {
  $dbase    = new topDbase;
  $variable = mysql_real_escape_string($variable, $dbase -> instance);
}

  /****
    posthandler checks an array and places each value checked trough checkvar into its
    own variable. Perfect for quickly getting all POST variables without having to 
    bother with checkVar($_POST['variable']).
  ****/
function postHandler($post = false) {
  $post = $post ? $post : $_POST;
  array_walk($post, 'checkVar');
  return $post; 
} 


---

Of course this requires a database class where the instance is set as a singleton particle, as for instance the one I wrote a while ago.

Well thanks for filling me in on this ^_^
I've been looking for what all I need to do to make my site secure. This might fix my sql server from crashing hehe

I've been using the escape string but I didn't know it didn't filter out wildcards thanks bunches hehe

Afaik it DOES filter out wildcards...

My little script for these kind of things.

PHP Code:

---


// Filtering func. -> makes sure that the use does not over-stack.
function xw_sanitycheck($str){
    if(strpos(str_replace("''",""," $str"),"'") != false)
        return str_replace("'", "''", $str);
    else
        return $str;
}

function secure($str){
    if (is_array($str)) {
        foreach($str AS $id => $value) {
            $str[$id] = secure($value);
        }
    }
    else
        $str = xw_sanitycheck($str);

    return $str;
}

// Get Filter
$xweb_AI    = array_keys($_GET);
$i=0;
while($i<count($xweb_AI)) {
    $_GET[$xweb_AI[$i]]=secure($_GET[$xweb_AI[$i]]);
    $i++;
}
unset($xweb_AI);

// Request Filter
$xweb_AI    = array_keys($_REQUEST);
$i=0;
while($i<count($xweb_AI)) {
    $_REQUEST[$xweb_AI[$i]]=secure($_REQUEST[$xweb_AI[$i]]);
    $i++;
}
unset($xweb_AI);

// Post Filter
$xweb_AI    = array_keys($_POST);
$i=0;
while($i<count($xweb_AI)) {
    $_POST[$xweb_AI[$i]]=secure($_POST[$xweb_AI[$i]]);
    $i++;
}

// Cookie Filter 
$xweb_AI    = array_keys($_COOKIE);
$i=0;
while($i<count($xweb_AI)) {
    $_COOKIE[$xweb_AI[$i]]=secure($_COOKIE[$xweb_AI[$i]]);
    $i++;
}

// Session Filter 
$xweb_AI    = array_keys($_SESSION);
$i=0;
while($i<count($xweb_AI)) {
    $_COOKIE[$xweb_AI[$i]]=secure($_SESSION[$xweb_AI[$i]]);
    $i++;
}
// End 


---

Inefficient and not secure themad.