Reputation: 121
Is there a way to add both stripslashes and mysql escape string to sanitize data?
I'm just starting out and trying to learn php and mysql, so my level of knowledge is rather primitive to both.
I'm not too sure about the stripslashes method, so I wanted to know if the below code is secure enough to prevent an SQL injection or other malicious attack against my database? Would the database benefit from adding mysql_real_escape_string in addition to the stripslashes method?
$first = Trim(stripslashes($_POST['First']));
$last = Trim(stripslashes($_POST['Last']));
$city = Trim(stripslashes($_POST['City']));
$state = Trim(stripslashes($_POST['State']));
$country = Trim(stripslashes($_POST['Country']));
$email = Trim(stripslashes($_POST['Email']));
$tempt = $_POST['tempt'];
$tempt2 = $_POST['tempt2'];
if ($tempt == 'http://' && empty($tempt2)) {
$error_message = '';
$reg_exp = "/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9-]+\.[a-zA-Z.]{2,5}$/";
if(!preg_match($reg_exp, $email)) {
$error_message .= "<p>A valid email address is required.</p>";
}
if (empty($first)) {
$error_message .= "<p>Please provide your first name.</p>";
}
if (empty($last)) {
$error_message .= "<p>Please provide your last name.</p>";
}
if (!empty($error_message)) {
$return['error'] = true;
$return['msg'] = "<p>The request was successful, but the form was not filled out correctly.</p>".$error_message;
echo json_encode($return);
exit();
} else {
$return['error'] = false;
$return['msg'] = "<p style='top:9px; color:#ff6000; left:63px; text-align:left; font-size:1.50em;'>".$first .", <p style='top:0px; width:100%; left:63px; text-align:left; line-height:1.1em;'>your subscription request has been processed.</p>";
echo json_encode($return);
}
} else {
$return['error'] = true;
$return['msg'] = "<p>There was a problem while sending this form. Try it again.</p>";
echo json_encode($return);
}
Upvotes: 1
Views: 106
Answers (2)
Reputation: 392
I've created a function. Just pass in the value to be sanitized.
function clean($data) {
$data = trim($data);
$magic_quotes_active = get_magic_quotes_gpc();
$new_enougth_php = function_exists("mysql_real_escape_string");
if ($new_enougth_php) {
if ($magic_quotes_active) {
$value = stripslashes($data);
}
$value = mysql_real_escape_string($data);
} else {
if (!$magic_quotes_active) {
$value = addcslashes($data);
}
}
return $value;
}
Upvotes: 1
Reputation: 78994
I don't see any DB queries in your code, but look to the comments for recommendations about prepared statements / no mysql_* functions, etc..
You only need stripslashes if magic_quotes_gpc is enabled in php.ini, try:
if(get_magic_quotes_gpc()) {
$_POST = array_map('stripslashes', $_POST);
}
Upvotes: 0
Related Questions
- strings do not escape when use mysql_real_escape_string or addslashes in mysql
- mysql_real_escape_string, stripslashes and htmlspecialchars
- Any builtin function in mysql to sanitise string variables
- Escaping characters without using MySql functions in PHP
- Using stripslashes after mysql_real_escape_string
- How to properly escape a string via PHP and mysql
- PHP Sanitising and escaping special characters
- MySQL real escape string
- mysql_real_escape() w/ trim() w/ stripslashes() - is this sensible?
- Escaping only what is necessary, is that possible?