no_injection(); and hidden_key();

Guest · **Points:**

See this site from pixel 2 depth looks pretty good.

heres a little snippet ill donate that I use for my Forum software to protect all SQL Injection from leaking.

PHP Code:

<?php
//copy righted Des PC Industries http://projects.nevux.info/index.html
//or PCindustries.visionstyles.info
function no_injection($string){

$string = striptags($string);
$string = htmlspecialchars($string);
$string = trim($string);
$string = stripslashes($string);
$string = mysql_real_escape_string($string);

return $string;
}

function hiddenkey($pass){
$pass = striptags($pass);
$pass = htmlspecialchars($pass);
$pass = trim($pass);
$pass = stripslashes($pass);
$pass = mysql_real_escape_string($pass);
$pass = md5($pass);

return $pass;
}
?>

Above stops sql injection and second function makes password encrpyted

example:

PHP Code:

$password = hiddenkey($password);
$username = no_injection($username);

you could also do

PHP Code:

<?php
//you must include functions for any of this to work;)
hiddenkey($_POST['password'];
no_injection($_POST['username'];
?>

Have fun

Guest · **Points:**

Thanks for the code!

People need to have SQL protection setup...

Guest · **Points:**

Thanks for it m8! Really a good peace of code there!

Guest · **Points:**

Not to criticize your code, but you could improve it like so:

Code:

function no_injection($string){
  $string = striptags($string);
  $string = htmlspecialchars($string);
  $string = trim($string);
  $string = stripslashes($string);
  $string = mysql_real_escape_string($string);
  return $string;
}

function hiddenkey($pass){
  $pass = no_injection($pass);
  $pass = md5($pass);
  return $pass;
}

That said, you should take additional preventative measures where possible. If you're expecting an integer (as in http://www.mysite.com/products.asp?id=45), don't merely run it through the no_injection function. Convert the variable to an integer in php before passing it to the query.

A must-read for anyone new to preventing sql injections:
http://blogs.msdn.com/ericlippert/archive/2006/11/01/how-do-i-mitigate-a-sql-injection-vuln.aspx

Guest · **Points:**

Yes, just relying on that code alone will leave you open to new forms of attack. Like Ristmo said, you should check to see if the value is actually a string, char, or whatever before you try to clean it. Use some Regex to make sure it is the right type.

Then check the length of the variable so as to make sure someone didn't send a whole essay that once cleaned would still have enough ascii in it to mess you up.

finally, you can clean the code

sharon100 · **Posted:** Fri May 01, 2009 10:09 am

Wow.......... Thanks for the code...... I tried out.... It came out well.......

no_injection(); and hidden_key();

Who is online