Security Basics mailing list archives
Re: PHP filter function against SQL injections
From: jeff () downtowndevelopmentplan com
Date: Wed, 7 Feb 2007 14:56:32 -0500
On Wed, Feb 07, 2007 at 05:54:52PM +0100, Kellox wrote:
i was just wondering if this filter function written in php is safe against sql injections: function filter($string) { $replace = ""; $search = array(">", "<", "|", ";"); $result = mysql_escape_string( str_replace($search, $replace, $string)); return $result; }
Don't forget that the best way to sanitize incoming data is to only allow known-good input. Attempting to filter against a list of bad characters has historically proven itself futile. Rewrite your function to only allow the characters that your application expects. -Jeff
Current thread:
- PHP filter function against SQL injections Kellox (Feb 07)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 07)
- Re: PHP filter function against SQL injections jeff (Feb 07)
- Re: PHP filter function against SQL injections Koen Bossaert (Feb 08)
- Re: PHP filter function against SQL injections Kellox (Feb 08)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 08)
- Re: PHP filter function against SQL injections Terra Frost (Feb 09)
- Message not available
- Re: PHP filter function against SQL injections Terra Frost (Feb 12)
- Re: PHP filter function against SQL injections Kellox (Feb 08)
- Re: PHP filter function against SQL injections Kellox (Feb 09)
- Re: PHP filter function against SQL injections jeffrey rivero (Feb 09)
- Re: PHP filter function against SQL injections Nic Stevens (Feb 12)
- <Possible follow-ups>
- FW: PHP filter function against SQL injections kevin fielder (Feb 08)
- Re: PHP filter function against SQL injections Henry Troup (Feb 12)