Does this php code secure me from SQL injection and XSS?_问答_开发者

Does this php code secure me from SQL injection and XSS?

开发者 https://www.devze.com 2023-01-24 02:44 出处：网络

I have sanitize class that I run before anything else on every pa开发者_如何学JAVAge of my site. I\'m pretty sure addslashes is the same as escaping with mysql_real_escape_string heres the class.

I have sanitize class that I run before anything else on every pa开发者_如何学JAVAge of my site. I'm pretty sure addslashes is the same as escaping with mysql_real_escape_string heres the class.

class sanatize
{
private static $singleton;

function __construct(){

    $_CLEAN_POST = array();
    $_CLEAN_GET = array();
    $_CLEAN_REQUEST = array();

    foreach($_REQUEST as $key => $value)
    {
        $key = addslashes(trim(strip_tags($key)));
        $value = addslashes(trim(strip_tags($value)));

        $_CLEAN_REQUEST[$key] = $value;
    }
    foreach($_GET as $key => $value)
    {
        $key = addslashes(trim(strip_tags($key)));
        $value = addslashes(trim(strip_tags($value)));

        $_CLEAN_GET[$key] = $value;
    }
    foreach($_POST as $key => $value)
    {
        if(is_array($value)){
            foreach($value as $key2 => $value2){

                $key2 = addslashes(trim(strip_tags($key2)));
                $value2 = addslashes(trim(strip_tags($value2)));

                $_CLEAN_POST[$key][$key2] = $value2;
            }
        }
        else{
            $key = addslashes(trim(strip_tags($key)));
            $value = addslashes(trim(strip_tags($value)));

            $_CLEAN_POST[$key] = $value;
        }
    }
    $_POST = array();
    $_GET = array();
    $_REQUEST = array();

    $_POST = $_CLEAN_POST;
    $_GET = $_CLEAN_GET;
    $_REQUEST = $_CLEAN_REQUEST;
}
function __destruct()
{
    //echo "cleaned";
}

public static function getInstance()
{
    if(is_null(self::$singleton))
    {
        self::$singleton = new sanatize();
    }
    return self::$singleton;
}
}

and then i'll call it using

$sanatize = sanatize::getInstance();

"I'm pretty sure addslashes is the same as escaping with mysql_real_escape_string heres the class."

First, it's not. mysql_real_escape_string is aware of the connection, and takes that connection's character set into account.

Second, you're basically replicating the failed magic_quotes design. Not all of those fields are going into the database, so you're doing unnecessary work. You also have to be careful never to re-escape something in a "clean" array; double-escaping is a very common problem.

In my opinion, the simplest solution to SQL injection is prepared statements. I recommend using either PDO or mysqli.

EDIT: Since you're already using mysqli, you should forget about this CLEAN idea, and simply use MySQLi_STMT. mysqli::prepare gives an example of how to create and bind variables to a prepared statement. Note the ? place-holder. Also look at mysqli_stmt::bind_param.