Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Easiest Way to Make all inputs sql safe?
Easiest Way to Make all inputs sql safe?
  • El Forum
    Guest
  •  
#11
08-28-2009, 05:06 PM

[eluser]Rick Jolly[/eluser]
[quote author="jplanet" date="1251516767"]

It took me less than a minute to get the job done, as opposed to the many hours it would take to re-write the queries as so many have suggested...and, oddly, keep suggesting, despite my pleas that it wouldn't work for this situation ;-).[/quote]
Your function as it is doesn't save you any time. These are the same:
Code:
$escaped = postsafe($index);
$escaped = mysql_real_escape_string($_POST[$index]);
Keep in mind that xss_clean won't protect you against sql injection so you might want to seperate that out and also allow for automatically sql-escaping an entire array. You might also pass in the array instead of acting directly on $_POST to be more flexible.

The trouble with this approach is your sql is going to remain messy, and more importantly, you might miss the odd sql input leaving yourself vulnerable. If you're maintaining this, you're better to do it right in the first place.
  • El Forum
    Guest
  •  
#12
08-28-2009, 05:38 PM

[eluser]jplanet[/eluser]
Ah, but there's so much that you can't tell what's happening at my desk and all of the other circumstances. You have a situation where a bunch of potential investors are going to test a site that isn't live over the weekend, and with dinner guests arriving in a half hour, these are real-life parameters that don't allow for best practices at all times...

The difference between postsafe and mysql_real_escape_string is that I was able to do a find and replace in my controller file, replace $this-input->post with $this->input->postsafe. Because mysql_real_escape_string requires an additional closing parenthesis, I would have had to replace those functions - hundreds of them, manually...

As for the long-term solutions, yes, you absolutely right, and if all goes well next week I will have time to clean up everything for the long-term - meanwhile, I just needed to know that these investors couldn't break it over the weekend...
  • El Forum
    Guest
  •  
#13
08-29-2009, 03:38 AM

[eluser]cahva[/eluser]
Heh.. You could have just extended the input class with MY_Input and didnt have to replace all the $this->input->post()

Something like this:
Code:
class MY_Input extends CI_Input {

    
    function post($index = '', $xss_clean = FALSE)
    {
        return mysql_real_escape_string($this->_fetch_from_array($_POST, $index, $xss_clean));
    }
}
Ofcourse that would use mysql_real_escape_string even if you dont need it(but you had done that already with the foreach ($_POST as $key => $value) thingie before..).




Theme © iAndrew 2016 - Forum software by © MyBB