2

i wanted to protect my website from sql injections and other possible risks, so i changed all my sql queries by adding for each variable something like this :

 $getLid = htmlspecialchars($_GET[lid], ENT_QUOTES);

For my 50 files... But i have just seen that it might be my mistake : i should have added mysql_real_escape_string for any "input"...

Is it still better to use mysql_real_escape_string in this case, or the ENT_QUOTES works also? Do i have to restart again and add mysql_real_escape_string instead of my htmlspecialchars(..., ENT_QUOTES); ?

Edit :

Do you mean something like that?

$getLid = escape_string($str);

function escape_string($str){
    return mysql_real_escape_string($str);
}

Edit n°2 : the return statement does not work properly, would you know why?

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in … www/escape_file.php

Access denied for user in … www/escape_file.php

Thanks

4

1 回答 1

1

There are a lots of references to secure user inputs. You can Google it, but I think you should write a class or a function in another php file like "escape.php" and then include that file to all of your 50 files. then use that for escaping. exmple:

include 'escape.php';
$str = escape_string($str);

So you can change your escaping function so easy just with changing a single file. I hope it will help you.

于 2012-07-31T19:31:29.623 回答