Jump to content

about for preventive SQL Injection


joymis

Recommended Posts

Hello,

I have a code use for preventive SQL Injection, but the code looks not work, this is my code

<?php

class Util{
    public static function edit_array($array) {
        array_walk_recursive($array, 'Util::edit_value');
    }
    public static function edit_value(&$value) {
        $value = trim(htmlspecialchars($value, ENT_QUOTES));
    }
}

Util::edit_array($_POST);
print_r($_POST);

?>

I print $_POST value and use browser's developer tools confirm, but the value still show single quote not '

I don't know why, please help me.

In addition to htmlspecialchars function, I want to know what should I also use to prevent SQL Injection.

 

Thanks.

Link to comment
Share on other sites

The only reliable way to prevent SQL injection is to use prepared statements. Read the tutorial page about it.

http://www.w3schools.com/php/php_mysql_prepared_statements.asp

 

Anything else is prone to oversights and mistakes. You shouldn't need to store HTML entities, that's not a protection against SQL injection.

 

The reason your code is not behaving as expected is because a clone of the array is created when it is passed into the function. The original array is unaffected. Look up passing by reference in the PHP manual.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...