这样可以防止注入攻击吗？

Question

Does this protect against SQL injection attacks?

function sanitize($value) {
    // Stripslashes
    if (is_array($value)) {
        if (get_magic_quotes_gpc()) {
            $value = array_map("stripslashes", $value);
        }
        $value = array_map("mysql_real_escape_string", $value);
    } else {
        if (get_magic_quotes_gpc()) {
            $value = stripslashes($value);
        }
        $value = mysql_real_escape_string($value);
    }
    return $value;
}

$_REQUEST = array_map('sanitize', $_REQUEST);
$_GET = array_map('sanitize', $_GET);
$_POST = array_map('sanitize', $_POST);
$_COOKIE = array_map('sanitize', $_COOKIE);

What could I add to sanitize() to protect against cross-site scripting? What other channels would allow attackers to insert malicious code?

Answer 1

The one-word answer would be "yes". However:

1. If $value is an array that contains other arrays it won't be handled correctly. You should loop over $value make a recursive call to sanitize for each array you find.
2. It's preferable to use prepared statements instead of doing this. Of course, if you already have a complete application and are not building from scratch this can be problematic.

Finally, the other ways in which someone can subvert your application are cross-site scripting (aka CSS or XSS) and cross-site request forgeries (CSRF). There are lots of resources here on SO and on the internet you can use to get up to speed. As a starting point, protection against XSS involves calling htmlspecialchars on anything you output, while protection against CSRF involves requiring a session-specific id code for each operation your privileged users are allowed to perform on your site.

Array-safe sanitize version

function sanitize($value) {
    if (is_array($value)) {
        foreach($value as &$item) {
            $item = sanitize($item);
        }
    } else {
        if (get_magic_quotes_gpc()) {
            $value = stripslashes($value);
        }
        $value = mysql_real_escape_string($value);
    }
    return $value;
}

Update:

For higher visibility: Bjoern's link to this question ( What's the best method for sanitizing user input with PHP? ) is really good.

Answer 2

No.

Use PHP Data Objects Or... Use a Database Abstraction Layer Or... Some framework that does this.

Don't write your own because:

• Someone else has
• Their code works fine
• You can use their code for free
• They thought of all the issues you don't know about yet.
• It's a lot of work to do this, it's already been done, just spend twenty minutes and figure out someone else's code that does this.

Answer 3

If it is applied after the database connection was established, then it escapes the initial input data correctly.

Now you will have problems using such escaped values for HTML output however. And it does not protect against second order SQL injection (querying the database, then using those values as-is for a second query). And more importantly, most applications work on the input values. If you do any sort of rewriting or string matching, you might undo some of the escaping.

Hencewhy it is often recommended to apply the escaping right before the query is assembled. Nevertheless, the code itself is functional for the general case and advisable if you can't rewrite heaps of legacy code.

Answer 4

You should add html_entities. Most of the time you put $_POST variables into a textbox, like:

<textarea><?php echo $_POST['field']; ?></textarea>

They can mess up your HTML by filling in and do anything they want.