PHP: Securing $_GET and $_POST variables from SQL injection

PHP
1

There must be a million websites where is some info about PHP-security flaws and functions how to secure PHP scripts, etc.
I just can’t find anywhere instructions how to test security from your own scripts, or not to mention, someone saying; “this secure-method is 100% safe”.

I just would like to have some clear answers!

The most common example-script to secure $_POST variables is something like this:


	// Connect to MySql
	$db = mysqli_connect(
	'lhost',		//  The host to connect to
	'user',		//  The user to connect as
	'pass',		//  The password to use
	'database');	//  The default database to query


function secure($value) {

	global $db;

	// Stripslashes
	if (get_magic_quotes_gpc()) {
	$value = stripslashes($value);
	}

	// Quote if not a number
	if (!is_numeric($value)) {
	$value = mysqli_real_escape_string($db, $value);
	}

	return $value;
}


	// Loop through POST variables
	foreach($_POST as $input => $value) {
	$_POST[$input] = secure($value);
	}


	// Update to MySQl
	mysqli_query($db, "UPDATE table SET
	input1 = '$_POST[input1]'
	WHERE id='$_POST[id]';");

I would like to know is this script really secure? Is there any way that malicious user could do harm or do some tricks?

The other thing, I would like to know, is how to secure $_GET variables?
I’m sure this isn’t very secure, or is it?


	// MySql query
	$query = mysqli_query($db, "SELECT * FROM `database`.`table` WHERE input1='$_GET[input1]';");
	$row = mysqli_fetch_array($query);
	mysqli_free_result($query);

So please, if You know how or you know a website about how test security, I would like to hear it. Thanks! :slight_smile:

2

Same thing as the example. Apply mysqli_real_escape_string() to $_GET[‘input1’]. Put the escaped version into the query, not the raw input from the user.

Look into prepared statements, rather than building queries as literal strings, for a higher level way of avoiding SQL injection and escaping problems.

3

Thanks for the tip! Could you give an example, please? (I didn’t quite understanded…) :confused:

4 
$input1 = mysqli_real_escape_string($db, $_GET['input1']);
$query = mysqli_query($db, "SELECT * FROM `database`.`table` WHERE input1='$input1';");
5

Ah, ok. I see your point! I just don’t know is it possible to make it so without defining every variable one by one… that’s a lot of work, for example, to secure a site where is 300+ $_GET and $_POST variables.

EDIT: Or maybe something like:


   // Loop through POST variables
     foreach($_POST as $input => $value) {
     ${$input} = $_POST[$input] = secure($value);
     }
       // Update to MySQl
     mysqli_query($db, "UPDATE table SET
     input1 = '$input1'
     WHERE id='$id';")
6

You can do what you did with $_POST

    foreach($_GET as $input => $value) { 
    $_GET[$input] = secure($value); 
    }

But this alters all the values. If you want to print it to a page, or do anything else to it that isn’t putting it into a database, you don’t really want that.

7

Alright! Thanks Dan Grossman! Then I’m very pround of myself that, I finally wrote something what works! LOL! :smiley:

8