1
BadAngler
The XOOPS way to avoid SQL injections from forms?
  • 2007/1/2 0:21

  • BadAngler

  • Just popping in

  • Posts: 36

  • Since: 2006/11/28


Hi,

I've been writing a series of input forms for a XOOPS site. My work is mostly done with the exception of disinfecting browser input. I usually write perl code where you drop control characters (most often allowing only a specific list of characters), any markup, escape quotes, etc before any database insertion. I'm trying to figure out the safest way to do this for php and thought there might be a generic XOOPS function to do so. If there isn't does anyone have a function with the correct mix of strip_tags, stripslashes and magic_quotes_gpc? Extra credit for a solution no matter what the server setting for magic quotes...it'd be great if we don't have to deal with that at every hosting site.

TIA, BA

2
Dave_L
Re: The XOOPS way to avoid SQL injections from forms?
  • 2007/1/2 1:58

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


How are you doing the MySQL queries to update the database? With the XOOPS object classes, or with manual queries?

With manual queries, you can do:

$myts =& MyTextSanitizer::getInstance();
...
$fieldvalue = $myts->addSlashes($fieldvalue);
...
$query = ... `fieldname` = '$fieldvalue' ....

If you're using XOOPS object classes, the object handler should take care of that for you.

3
phppp
Re: The XOOPS way to avoid SQL injections from forms?
  • 2007/1/2 2:48

  • phppp

  • XOOPS Contributor

  • Posts: 2857

  • Since: 2004/1/25


The preferred procedure handling user input would be:

$xoopsObject->setVar($GPCvar, $GPCval);
=> Inform xoopsObject that current variable is from GPC

$xoopsObject->cleanVars();
=> strip slashes if magic_quotes_gpc is set to ON

$xoopsDB->quoteString($xoopsObject->$cleanedGPCval);
=> add slashes to single quotes

$xoopsDB->query()
=> store into DB

Through this way, the storage procedure is safe for most cases, except a few very rare cases for a few east Asian encodings, potentially, if magic_quotes_gpc is set to OFF.

Login

Who's Online

416 user(s) are online (313 user(s) are browsing Support Forums)


Members: 0


Guests: 416


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits