I', am a newbie and trying to get a better understanding of securing mysql queries vs. injections. I found this code here below, which seems to work nicely and makes it possible to automatically "clean" all inputs coming thru $_GET
, $_POST
and $_COOKIE
. But in some forums I was told it is still susceptible to numeric injection as mysql_real_escape_string function only checks for strings (as if a hacker was to use numbers, as opposed to single/double quotes which would get escaped). At any rate, in the second version below, I included "numeric" validation, but I'm not sure if I did it correctly... can anybody guide me on it, and how coudl I test it to make sure it is working... thank u all!
<?php
// ORIGINAL CODE
$_POST=sanitize($_POST);
$_GET=sanitize($_GET);
$_COOKIE=sanitize($_COOKIE);
$_REQUEST=sanitize($_REQUEST);
function sanitize($input){
if(is_array($input)){
foreach($input as $k=>$i){
$output[$k]=sanitize($i);
}
}
else{
if(get_magic_quotes_gpc()){
$input=stripslashes($input);
}
$output=mysql_real_escape_string($input);
}
return $output;
}
// HERE IS ORIGINAL WITH ADDED NUMERIC VALIDATION
$_POST=sanitize($_POST);
$_GET=sanitize($_GET);
$_COOKIE=sanitize($_COOKIE);
$_REQUEST=sanitize($_REQUEST);
function sanitize($input){
if(is_array($input)){
foreach($input as $k=>$i){
$output[$k]=sanitize($i);
}
}
else{
if(get_magic_quotes_gpc()){
if (is_numeric($input)) {
$input = "'" . stripslashes($input) . "'";
}
else
$input=stripslashes($input);
}
$output=mysql_real_escape_string($input);
}
return $output;
}
?>