Home/ Questions/Q 4084396
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T18:26:04+00:00

Does this protect against SQL injection attacks? function sanitize($value) { // Stripslashes if (is_array($value))

  • 0

Does this protect against SQL injection attacks?

function sanitize($value) {
    // Stripslashes
    if (is_array($value)) {
        if (get_magic_quotes_gpc()) {
            $value = array_map("stripslashes", $value);
        }
        $value = array_map("mysql_real_escape_string", $value);
    } else {
        if (get_magic_quotes_gpc()) {
            $value = stripslashes($value);
        }
        $value = mysql_real_escape_string($value);
    }
    return $value;
}

$_REQUEST = array_map('sanitize', $_REQUEST);
$_GET = array_map('sanitize', $_GET);
$_POST = array_map('sanitize', $_POST);
$_COOKIE = array_map('sanitize', $_COOKIE);

What could I add to sanitize() to protect against cross-site scripting?
What other channels would allow attackers to insert malicious code?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The one-word answer would be “yes”. However:

    1. If $value is an array that contains other arrays it won’t be handled correctly. You should loop over $value make a recursive call to sanitize for each array you find.
    2. It’s preferable to use prepared statements instead of doing this. Of course, if you already have a complete application and are not building from scratch this can be problematic.

    Finally, the other ways in which someone can subvert your application are cross-site scripting (aka CSS or XSS) and cross-site request forgeries (CSRF). There are lots of resources here on SO and on the internet you can use to get up to speed. As a starting point, protection against XSS involves calling htmlspecialchars on anything you output, while protection against CSRF involves requiring a session-specific id code for each operation your privileged users are allowed to perform on your site.

    Array-safe sanitize version

    function sanitize($value) {
    if (is_array($value)) {
        foreach($value as &$item) {
            $item = sanitize($item);
        }
    } else {
        if (get_magic_quotes_gpc()) {
            $value = stripslashes($value);
        }
        $value = mysql_real_escape_string($value);
    }
    return $value;
}

    Update:

    For higher visibility: Bjoern’s link to this question ( What's the best method for sanitizing user input with PHP? ) is really good.

    • 0