0

I have make a simple function for security prevent from sql injection and XXS here is my code, any suggestion for this? Is this good enough for security?

function mres($input){
    if(get_magic_quotes_gpc()){
        $input=stripslashes($input);    
    }
    $input=htmlentities($input, ENT_COMPAT, 'UTF-8');
    return mysql_real_escape_string($input);
}
Improve this question
1

2 Answers 2

Reset to default
2

This is wrong in at least two ways:

  1. Turn of magic_quotes completely if you can. At least you are not using it, but $input may not be scalar
  2. htmlentities is for display, not storage. Never encode for storage!
  3. mysql_* functions are deprecated. There is no guarantee you will have an open mysql connection (required) when you call it either.

https://www.php.net/manual/en/function.mysql-real-escape-string.php

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

so is any way to fix this function?
@chienpinwang no, it's unfixable at this point. Abandon it and all of its contents. Start using PDO.
0

Look what you're actually doing:

Magic quotes is a bulk escaping of all incoming data, which makes you vulnerable, as escaping alone doesn't make your data "safe" by any means.

So, you are cleaning these bulk escapes... and then apply the very same escaping again :)

Improve this answer

1 Comment

Not exactly .. mysql_real_escape_string and addslashes are not equivalent. Plus htmlentities encodes quotes that would be escaped.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.