Protect your pages against sql injections
March 9, 2010
The following function inspects the URL and looks for the (‘) apostrophe; if the apostrophe is found the url will be cut and the page reloaded using the cleaned url.
function CleanRequest
/**
* Remove ' (apostrophe) from URL and cut the url at the first occurrence of the apostrophe
* Prevent sql injections.
*
* @author: Costin Trifan
* @date: 06.05.2009
* @status: release
*/
function CleanRequest( $use = 'http' )
{
$url = $_SERVER['REQUEST_URI'];
$url = utf8_decode($url);
if (($pos = strpos($url, '%27')) !== false)
{
$url = substr($url, 0, $pos);
$url = $use.'://'.$_SERVER['HTTP_HOST'].$url;
header("Location: ".$url); /*[ reload page using the cleaned url ]*/
exit;
}
}
This function can be called on individual pages but I find it to be more useful when called in a config.php file so it can be executed on all pages of a website.
Edit: March, 28 The $use argument has been removed.
/**
* Remove ' (apostrophe) from URL and cut the url at the first occurence of the apostrophe
* Prevent sql injections.
*
* @author: Costin Trifan
* @date: 06.05.2009
* @status: release
* @revision: March 28, 2010;
* The $use argument has been removed.
*/
function CleanRequest()
{
$use = 'http';
if (isset($_SERVER["HTTPS"]) && ($_SERVER["HTTPS"] == "on")) {$use .= 's';}
$url = $_SERVER['REQUEST_URI'];
$url = utf8_decode($_SERVER['REQUEST_URI']);
if (($pos = strpos($url, '%27')) !== false)
{
$url = substr($url, 0, $pos);
$url = $use.'://'.$_SERVER['HTTP_HOST'].utf8_encode($url);
header("Location: ".$url); /*[ reload page using the cleaned url ]*/
exit;
}
}
Categories: PHP
sql injections
Hm hm.. that’s very interessting but actually i have a hard time figuring it… wonder how others think about this..