Home page logo
/

basics logo Security Basics mailing list archives

Re: PHP filter function against SQL injections
From: jeff () downtowndevelopmentplan com
Date: Wed, 7 Feb 2007 14:56:32 -0500

On Wed, Feb 07, 2007 at 05:54:52PM +0100, Kellox wrote:

i was just wondering if this filter function written in php is safe against
sql injections:

function filter($string) {
  $replace = "";
  $search = array(">", "<", "|", ";");
  $result = mysql_escape_string( str_replace($search, $replace, $string));
  return $result;
}

Don't forget that the best way to sanitize incoming data is to only allow 
known-good input.  Attempting to filter against a list of bad characters has 
historically proven itself futile.  Rewrite your function to only allow the 
characters that your application expects.

-Jeff


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]