0

Possible Duplicate:
Best way to stop SQL Injection in PHP
The ultimate clean/secure function

My website was attacked via sql injection and now I need to improve it. I'm creating a function in PHP escape(), that returns the escaped version of a string. I'm not a hacker so please help me to improve my escape function. Here is the current version:

function escape($string){

    $string = stripslashes($string);
    $string = mysql_real_escape_string($string);
    $string = strip_tags($string);
    $string = str_replace('%','',$string);
    $string = str_replace('_','',$string);

    return $string;

}

My question is: is this hackable, if it is than how to fix it? Thanks!

Community
  • 1
  • 1
Csabi
  • 641
  • 10
  • 20
  • 5
    That is, frankly, awful. It is an arbitrary collection of replacements applied without any consideration as to what the data might be or where it might be put. – Quentin Mar 31 '12 at 15:58
  • To protect against attacks when user input is inserted into other places (e.g. HTML documents, or JavaScript blocks, or email, or PDF, etc) then research those specifically. There is no global panacea. – Quentin Mar 31 '12 at 15:59
  • All functions in your example except `mysql_real_escape_string` do not make sense (`stripslashes` makes some sense _only_ if you have magic quotes on). – Salman A Mar 31 '12 at 16:01
  • what happens when you want `%` and `_` included in your string. ditch your function and use PDO prepared statments – Lawrence Cherone Mar 31 '12 at 16:06
  • Did you use 'mysql_real_escape_string();' before? This is 99% safe, unless you use some other CHARACTER set as far as i know of. (it should me 100% though) Maybe you must update your phpmyadmin/sql server to apply the latest fixes and securityupdates. – ArendE Mar 31 '12 at 16:23
  • @SalmanA mysql_real_escape_string doesn't make sense either – Your Common Sense Mar 31 '12 at 16:29

1 Answers1

-2

this function has absolutely nothing to do with safety.
it's barely protects you from some kinds of XSS injections. that's all.

Your Common Sense
  • 152,517
  • 33
  • 193
  • 313