We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Secure your SQL

  • sottwell Reply #1, 18 years, 2 months ago
    Taken from the PHP documentation, this works as-is for PHP >= 4.3 to keep evildoers from trying to hack your database. Remember, evildoers can work around any client-side javascript validation!

    If you are using the MODx DBAPI, remove the part that sets the single quote if not integer, since MODx adds single quotes.

    function quote_smart($value)
{
   // Stripslashes
   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }
   // Quote if not integer - remove or comment out if using MODx DBAPI
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }

// if using MODx DBAPI uncomment this
//  $value = mysql_real_escape_string($value);

   return $value;
}


    Filter all of your incoming data through this:

    $val1 = quote_smart($_POST['value1']);
$val2 = quote_smart($_POST['value2']);
$query = "INSERT INTO $dbase.$table (`field1`, `field2`) VALUES ($val1, $val2)";
      Studying MODX in the desert - http://sottwell.com
      Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
      Join the Slack Community - http://modx.org
      • 32963
      • 1,732 Posts
      xwisdom Reply #2, 18 years, 2 months ago
      Thanks for sharing susan.

      There’s also safehtml for XSS

      http://pixel-apes.com/safehtml/
        xWisdom
        www.xwisdomhtml.com
        The fear of the Lord is the beginning of wisdom:
        MODx Co-Founder - Create and do more with less.
      • Ryan Thrash Reply #3, 18 years, 2 months ago
        Now that’s a really cool bit of code. Nice find Raymond!
          Ryan Thrash, MODX Co-Founder
          Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
          • 12879
          • 13 Posts
          indie Reply #4, 17 years, 11 months ago
          Quote from: xwisdom at Feb 09, 2006, 04:12 PM

          Thanks for sharing susan.

          There’s also safehtml for XSS

          http://pixel-apes.com/safehtml/

          Great piece of code! I was doing something like this just recently but this is way better, thanks for the link! grin

          ---Indie
          • sottwell Reply #5, 17 years, 11 months ago
            This is nice, because until there is a MODx DB API available for external use, such as in AJAX requests, the back-end request handling code needs to thoroughly validate all incoming data before it gets used.
              Studying MODX in the desert - http://sottwell.com
              Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
              Join the Slack Community - http://modx.org