Creating super class for PHP form protection

Asked

Viewed 102 times

1

I’m thinking of trying to build a super class to protect forms.

Whoever has new ideas post there for me to update.

Someone adds something else?

function seguro($sql){
// remove palavras que contenham sintaxe sql
    $sql = preg_replace(prepared("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql);
    $sql = strip_tags($sql);//tira tags html e php
    $sql = addslashes($sql);//Adiciona barras invertidas a uma string
    if(!get_magic_quotes_gpc()) {
        $obj = addslashes($sql);
        return $sql;
    }
    return $sql;
}

Version: 1.2

  • This function is like that sticker, smile you are being filmed only without cameras. I recommend reading: How to validate each data type received from a form?

  • @rray It wouldn’t work?

  • If the system stores music names its function will 'eat' some with this replacement, Wherever i may roam flipped ver i may roam. sql_regcase was deprecated in php5.3 and removed in 7. You can use Prepared statements to avoid sql Injection.

  • @rray You can edit the code.

  • Creating a classa or library for common tasks is a great idea I think github is a better tool for this. Quem tiver novas ideias poste ai para eu ir atualizando. is very broad and does not fit well in Q&A format. Remember that you can ask for feedback on chat site

1 answer

0

Use the library PDO to carry out the queries and also, to protect your queries. In your case, would be this way:

//modo de usar pegando dados vindos do formulário
$nome = $_POST["nome"];
$senha = $_POST["senha"];

$pdo = new PDO('mysql:host=localhost;dbname=banco', 'usuario', 'senha');
$stmt = $pdo->prepare('SELECT * FROM usuario WHERE nome = :nome and senha = :senha');
$run = $stmt->execute(array(
    ":nome" => $nome,
    ":senha" => $senha,
));
$result = $stmt->fetchAll(PDO::FETCH_ASSOC);

Using this method, the PDO prepare method prevents SQL injection.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.