Hi,
How to mysql real escape string all $_GET contents?
Thanks
A:
Something like this:
foreach ($_GET as $key => $val)
{
$_GET[$key] = mysql_real_escape_string($val);
}
But i agree with Pekka, that's not a good idea.
Denis
2010-09-04 23:32:48
Actually w35l3y posted a better way to do it. Thanx, i didnt know that function exists!
Denis
2010-09-04 23:38:24
What about arrays?
Rook
2010-09-05 18:17:29
+3
A:
<?php
array_walk($_GET, 'mysql_real_escape_string');
?>
you may for example use the same technique to trim() its content
array_walk for more details
w35l3y
2010-09-04 23:32:49
@Russell Dias, Not according to the [PHP documentation](http://php.net/array_walk)
strager
2010-09-04 23:52:51
Oops. Thats odd, I must have been looking up another function when I made that comment. My apologies.
Russell Dias
2010-09-04 23:59:11
+2
A:
The $_GET superglobal is an array so you can iterate over it like any other.. but for security purposes, you really shouldn't. Each parameter of the array should likely be filtered/sanitized/escaped in a different way with a different context.
For example, if you were processing a blog post, you'd likely have a title, body, publish on date, and author:
- The title probably shouldn't have any html tags.
- The body may allow some tags, but a very limited set.
- The date is likely an integer (timestamp) or a specific date format or a series of numbers from dropdowns.
- The author may be a string (username) or preferably an author_id. If it's an id, it should be an int and doesn't need escaping.
If you filter them all the same, you're missing the context and purpose of each of those.
CaseySoftware
2010-09-04 23:34:58
+6
A:
You shouldn't do this.
Instead, use PDO and prepared queries to insert, manipulate and query your data, which gets around the need to escape things. This frees you from worrying about if you've escaped things properly (or perhaps you forgot altogether somewhere, oops!)
Matthew Scharley
2010-09-04 23:44:03
A:
It is better to use parameterized quires, but if an application has already been written its expensive to go back and rewrite every query. This is a cost effective patch and it will work in most cases, just make sure to test your code with Wapiti(open source) or Acunetix ($) or NTOSpider($$$).
Keep in mind you can pass arrays via GET. ?var[1]=test;.
function escape_deep($value)
{
$value = is_array($value) ?
array_map('escape_deep', $value) :
mysql_real_escape_string($value);
return $value;
}
function stripslashes_deep($value)
{
$value = is_array($value) ?
array_map('stripslashes_deep', $value) :
stripslashes($value);
return $value;
}
if(!get_magic_quotes_gpc()){
$_GET=escape_deep($_GET);
}else{
$_GET=stripslashes_deep($_GET);
$_GET=escape_deep($_GET);
}
If magic_quotes_gpc is on, then you don't want to add slashes twice. Also keep in mind that magic_quotes and this method of escaping doesn't stop everything. For instance this query is still vulnerable:
mysql_query("select name from usesr where id=".$_GET[id]);
exploit:
http://localhost/vuln.php?id=1 and sleep(500)
patch:
mysql_query("select name from usesr where id='$_GET[id]'");
Rook
2010-09-05 18:09:20
Edited last line to make it syntactically correct. Either don't use quotes around string keys inside of string or use it outside.
Col. Shrapnel
2010-09-05 18:26:14