Archive

Posts Tagged ‘sql injections’

Protect your pages against sql injections

March 9, 2010 1 comment

The following function inspects the URL and looks for the (‘) apostrophe; if the apostrophe is found the url will be cut and the page reloaded using the cleaned url.

function CleanRequest


/**
* Remove ' (apostrophe) from URL and cut the url at the first occurrence of the apostrophe
* Prevent sql injections.
*
* @author: Costin Trifan
* @date: 06.05.2009
* @status: release
*/
function CleanRequest( $use = 'http' )
{
	$url = $_SERVER['REQUEST_URI'];
	$url = utf8_decode($url);
	if (($pos = strpos($url, '%27')) !== false)
	{
		$url = substr($url, 0, $pos);
		$url = $use.'://'.$_SERVER['HTTP_HOST'].$url;
		header("Location: ".$url); /*[ reload page using the cleaned url ]*/
		exit;
	}
}

This function can be called on individual pages but I find it to be more useful when called in a config.php file so it can be executed on all pages of a website.

Edit: March, 28 The $use argument has been removed.


/**
* Remove ' (apostrophe) from URL and cut the url at the first occurence of the apostrophe
* Prevent sql injections.
*
* @author: Costin Trifan
* @date: 06.05.2009
* @status: release
* @revision: March 28, 2010;
*	The $use argument has been removed.
*/
function CleanRequest()
{
	$use = 'http';
	if (isset($_SERVER["HTTPS"]) && ($_SERVER["HTTPS"] == "on")) {$use .= 's';}

	$url = $_SERVER['REQUEST_URI'];
	$url = utf8_decode($_SERVER['REQUEST_URI']);
	if (($pos = strpos($url, '%27')) !== false)
	{
		$url = substr($url, 0, $pos);
		$url = $use.'://'.$_SERVER['HTTP_HOST'].utf8_encode($url);
		header("Location: ".$url); /*[ reload page using the cleaned url ]*/
		exit;
	}
}
Advertisements
Categories: PHP Tags: