I'm optimizing a platform that uses ADODBforPHP. I used a sanitization function that avoids sql injections for previous versions of PHP (mysql_escape_string) which are obviously not longer supported nor recommended.
For those that haven't used the library, it goes something like this:
$rs = $cnn->Execute('SELECT * FROM user WHERE id_user='.q($_GET['id']));
Example when updating some row:
$record = array();
$record['name'] = q($_GET['name']);
$record['last_update'] = time();
$rsProfile = $cnn->Execute('SELECT * FROM user WHERE id_user='.q($_GET['id']));
$sql = $cnn->GetUpdateSQL($rsProfile,$record);
if($sql) $cnn->Execute($sql);
In this case, q($string) is the sanitize function, which i'm trying to improve. I don't have access to install PDO in this server, so that's not an option.
The current q() uses mysql_real_escape_string without the 2nd argument:
function q($data) {
if(!empty($data) && is_string($data)) {
$data = str_replace(array('\\', "\0", "
", "", "'", '"', "\x1a"), array('\\\\', '\\0', '\
', '\', "\\'", '\\"', '\\Z'), $data);
$data = "'".$data."'";
}
return $data;
}
Someone recommended filter_var($value, FILTER_SANITIZE_STRING) on another forum, but I honestly haven't used that for these matters.
Any recommendations on how to improve the security of this function's purpose?
Update 1
function q($data) {
if(is_string($data)) {
return "'".mysql_real_escape_string($data)."'";
} elseif(is_numeric($data) || is_bool($data)) {
return $data;
} else {
return "''";
}
}
