When people post a new site that they made, the first thing I check for is whether or not they have protected from harmful injections. These injections can cause you to lose important information like passwords because you didn't put just a few lines of code and this can cause major problems. It can also make code run on the website without the website knowing that it's not supposed to happen. For example, I could inject javascript into the part where I put my username where when they go to, for example, my profile where it displays my name, its going to grab the value of the username and print it out. So I could make it so that whenever they visit my profile it takes their cookies or it displays an alert message, things like that which can prove deadly. And I'm not saying that if I find a vulnerability I instantly start taking everyone's passwords, I let them know so that they can fix it and learn from it. But it's better to start by knowing about injections before you post it on the internet because a person that isn't so nice might come and hack your website. So I'm going to tell you an easy way to protect from these injections using a simple little function I made.
Now this function that I'm going to show you can either be put into a class or it can be put into a file and you can just use it directly. It's up to you, it really doesn't matter just the class-way lets you use it multiple time by just typing one line. Anyways here is the function:
Code: Select all
function protect($string)
{
$string = mysql_real_escape_string($string);
$string = htmlentities($string);
$string = stripslashes($string);
$string = strip_tags($string);
return $string;
}
So that is practically the function. It simply takes the line that the user put as the parameter and it does 4 functions that come with PHP:
- mysql_real_escape_string - This escapes from SQL injections and anything that is MySQL code.
- htmlentities - This takes away html functions
- stripslashes - This simply takes away any slashes in the code
- strip_tags - This removes any tags like <html>, <body>, <br />, etc.
So those are the four functions and you can put that into a class so that when you include the class in the file by doing:
at the top of the file where *theclass* is the path to the file with the function, you can use the protect function.
When will you want to use this?
There are a few places where you will want to use this function. Practically you will want to use it whenever you get user input, for example $_POST or $_GET. Those are the most important places to use it because if you don't you have the risk of getting hacked.
So I hope this helps anyone and if you need help implementing the function, just post in the comments and I'll help. Goodluck!
~baseball435