1

I've got legacy PHP code which attempts to prevent script/SQL injection with the following:

if (!empty($_POST)) {
    reset($_POST);
    while (list($k,$v)=each($_POST)) {
        if(!is_array($_POST{$k}))
        {
            $val=str_replace("&","&",htmlentities($v,ENT_QUOTES));
            $$k=$val;
            //$_POST{$k}=$val;

            if (!get_magic_quotes_gpc())
            $_POST{$k}=$val;
            else
            $_POST{$k}=stripslashes($val);

        }
    }
}

The same is exactly replicated for $_GET as well.

Is this enough to prevent script/SQL injection?

Improve this question

1 Answer 1

Reset to default
7

No. It's blacklist-based, it tries to take care of specific tricks involving html entities. It doesn't even require magic_quotes, and magic_quotes has been deprecated as inadequate. Chris Shiflett is just one of many who've written a blog post explaining how vulnerable that is; it won't even stop modern automated script-kiddie attacks.

Use prepared statements in the database, and you'll be most of the way there--although even prepared statements aren't foolproof.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.