Protection of PHP sites - processing of incoming data

thumper · 25-03-2016, 12:00 AM

mysql_real_escape_string is deprecated and as we're moving into PHP 7 it should now be avoided.

I used to use a function like this:

Code:
function sec($value)
 {
   return mysql_real_escape_string(htmlentities(trim((get_magic_quotes_gpc())?stripslashes($value):$value)));
 }

But since mysqli connections in PHP 5, the function above would require redeclaring the mysqli connection we want to use every time we call the function, so instead we now place our mysql connection into a public class:

Code:
class DB {
 public static $con;
 }

Then make the connection:

Code:
DB::$con = new mysqli('localhost', 'user', 'passw', 'db');
 if(DB::$con->connect_errno) die("Could not connect - " . DB::$con->connect_error);

Then declare our function:

Code:
function sec($value)
 {
   return DB::$con->real_escape_string(htmlentities(trim((get_magic_quotes_gpc())?stripslashes($value):$value)));
 }

Now every time we handle $_POST or $_GET variables we simply call the function, e.g:

Code:
DB::$con->query("INSERT INTO `mytable` (`name`) VALUES('".sec($_POST['yomama'])."')");

Protection of PHP sites - processing of incoming data

Submitted by 0-Day, 01-03-2016, 03:34 PM, Thread ID: 18949

RE: Protection of PHP sites - processing of incoming data