PHP Tutorial: Easy SQL Injection Prevention

Leave a comment Standard

I’ve noticed on several client games I’ve worked on recently that instead of creating a global cleaning function to prevent SQL injections they’re wrapping mysql_real_escape_string() calls around everything. Sure, putting this function around any variable retrieving data from a form is okay — but it also leaves you open to forgetting or overlooking one. Below is a function you can run before trying to access $_GET and $_POST data. I typically put it in a header include file and run it before I do anything else on the page. It automatically cleans $_GET and $_POST so you can use it without worrying about SQL injections.

/*******
* Prevent SQL Injections
* Walk through the value and call mysql_real_escape_string on all values
*******/
function preventInjections($value)
{
    if (is_array($value))
        return array_map('preventInjections',$value);
    else
        return mysql_real_escape_string(trim($value));
}

/*******
* Run this at the top of every page before you try to use
* anything from your $_GET or $_POST variables
*******/
if (!get_magic_quotes_gpc())
{
    $_POST = preventInjections($_POST);
    $_GET = preventInjections($_GET);
}

/*******
* From this point on you can use your $_GET and $_POST variables 
* like you normally would without fear of injections
*******/
print_r($_POST);
print_r($_GET);
Advertisements

PHP Tutorial: Dynamically Create an Email Address in CPanel

Comment 1 Standard

This assumes you have cPanel and permission to run the /scripts/addpop command. You’ll need to write functions for validateUsername, validatePassword, and usernameExists or you can click on the links for each of those and use mine ūüôā

<?php
function createEmail($username, $password)
{
if (!$username || !$password)
   return "Username missing.";
if (!$password)
   return "Password missing.";
if (!validateUsername($username)) //do your validation on the formatting, write this yourself...
  return "Invalid username, please try again.";
if (!validatePassword($password)) //do your validation on the formatting, length & strength, write this yourself...
  return "Invalid password, please try again.";
//check to see if this email address is already taken
if (usernameExists($username)) //write this yourself...
   return "This username already exists. Please select another one.";
//run the command
shell_exec ("/scripts/addpop " .  escapeshellcmd($username) . " " . escapeshellcmd($password))
return "Your email address has been created!";
}
?>

PHP Tutorial: Mixing HEX Colors

Comment 1 Standard
<?php
/****************
* Purpose: mix two colors together
* Precondition: two colors in hex RGB format
* Postcondition: a single color returned that's the combo of the two
****************/
function mixcolors($color1, $color2)
{

  $c1_p1 = hexdec(substr($color1, 0, 2));
  $c1_p2 = hexdec(substr($color1, 2, 2));
  $c1_p3 = hexdec(substr($color1, 4, 2));

  $c2_p1 = hexdec(substr($color2, 0, 2));
  $c2_p2 = hexdec(substr($color2, 2, 2));
  $c2_p3 = hexdec(substr($color2, 4, 2));

  $m_p1 = sprintf('%02x', (round(($c1_p1 + $c2_p1)/2)));
  $m_p2 = sprintf('%02x', (round(($c1_p2 + $c2_p2)/2)));
  $m_p3 = sprintf('%02x', (round(($c1_p3 + $c2_p3)/2)));

 return    $m_p1 . $m_p2 . $m_p3;
}
?>

PHP Tutorial: Get Filename From Domain Path

Comments 2 Standard
<?php
/****
* Purpose: get the filename from the path
* Precondition: path i.e. http://domain.com/contacts.php
* Postcondition: returns the filename i.e. contacts.php
****/
function fileName($path)
{
     return substr($path, strrpos($path, '/')+1, strlen($path));
}
?>

Programming Challenge Main Page or Continue to Day 3