PHP Clean String

Page 1 of 1

9 Replies - 888 Views - Last Post: 15 January 2015 - 12:18 AM

#1 pemcconnell  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 54
  • View blog
  • Posts: 472
  • Joined: 05-August 08

PHP Clean String

Posted 25 September 2008 - 11:45 PM

Description: Call the function, with the string you wish to clean as the parameter.Cleans a string to prevent from SQL injection
function formatRemoveSQL($value){
	if(function_exists(strip_tags)){
		$value = strip_tags($value);
	}
	if(function_exists(mysql_real_escape_string)){
		$value = mysql_real_escape_string($value);
	}else if(function_exists(mysql_escape_string)){
		$value = mysql_escape_string($value);
	}else if(function_exists(addslashes)){
		$value = addslashes($value);
	}else{
		$value = str_replace("'", "´", $value);
		$value = str_replace('"', '"', $value);
	}
	return $value;
}


Is This A Good Question/Topic? 0
  • +

Replies To: PHP Clean String

#2 dreamincodehamza  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: -12
  • View blog
  • Posts: 349
  • Joined: 12-September 08

Re: PHP Clean String

Posted 21 February 2009 - 03:41 PM

Cool man this is what people want
Was This Post Helpful? 0
  • +
  • -

#3 pemcconnell  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 54
  • View blog
  • Posts: 472
  • Joined: 05-August 08

Re: PHP Clean String

Posted 01 March 2009 - 03:37 PM

No probs, glad you like it :)
Was This Post Helpful? 0
  • +
  • -

#4 huzi8t9  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 25
  • View blog
  • Posts: 367
  • Joined: 11-July 07

Re: PHP Clean String

Posted 07 April 2009 - 05:15 PM

Just what I was looking for!! Thanks!!
Was This Post Helpful? 0
  • +
  • -

#5 hadi_php  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 10
  • View blog
  • Posts: 382
  • Joined: 23-August 08

Re: PHP Clean String

Posted 25 October 2009 - 11:12 PM

what u ll do if user type - admin' OR '1'='1 <html> <body>

i think its better to replace strip_tags with this htmlspecialchars.
Was This Post Helpful? 0
  • +
  • -

#6 hadi_php  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 10
  • View blog
  • Posts: 382
  • Joined: 23-August 08

Re: PHP Clean String

Posted 25 October 2009 - 11:13 PM

admin' OR '1'='1

Was This Post Helpful? 0
  • +
  • -

#7 pemcconnell  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 54
  • View blog
  • Posts: 472
  • Joined: 05-August 08

Re: PHP Clean String

Posted 26 October 2009 - 12:28 AM

Hi Hadi_php, for MySQL to see the command it needs to break out of the string, typically achieved by placing a "'" in the string, e.g. '; DROP tblname; Which means that SQL would read something like: SELECT * FROM tblname WHERE colvalue = ''; DROP tblname; Which is bad times. This function is designed to be a cross-platform (diff php versions supported) function which when wrapped around your string input, will make the data 'safe' by prefixing "\" to apostrophes etc.
Was This Post Helpful? 0
  • +
  • -

#8 bubby  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 3
  • Joined: 19-December 09

Re: PHP Clean String

Posted 19 December 2009 - 04:38 PM

being a private security researches i can see a problem with this code, i am not a programmer so correct me if im wrong. but i feel i could still use sql injection if this script was active. thanks, bubby - irc.6667.eu
Was This Post Helpful? 0
  • +
  • -

#9 pemcconnell  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 54
  • View blog
  • Posts: 472
  • Joined: 05-August 08

Re: PHP Clean String

Posted 26 September 2010 - 11:42 PM

Hi Buddy - it's been a long time since I used this site so I haven't read your message until there now. I'd be interested in knowing what SQL injections you would use? I'm open to ideas but since 2007/2008 I haven't had a single site hacked using this function.
Was This Post Helpful? 0
  • +
  • -

#10 macosxnerd101  Icon User is offline

  • Games, Graphs, and Auctions
  • member icon




Reputation: 12135
  • View blog
  • Posts: 45,119
  • Joined: 27-December 08

Re: PHP Clean String

Posted 15 January 2015 - 12:18 AM

Note that the mysql_*() family of functions have been deprecated since the original submission of this snippet. If you are reading this snippet, you should be using PDO or MySQLi, with their prepared statement functionality. Prepared statements guard against SQL Injection attacks. If used correctly, you don't need to sanitize your inputs.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1