Hey,

I was browsing the forum one day and i found a nice clean() function someone made with enhanced stuff etc.. can someone find it please and i will +REP

It had SQL PHP code that it blocks :P

Thanks,
Chris

Step 1)
Move your mouse to the search button like this..
http://img91.imageshack.us/img91/20/searchyz0.png

Step 2)
Now Press it and a box comes :O:O:O:O:O
http://img91.imageshack.us/img91/9674/search2ge9.png
Step 3)
Type in what you want.
http://img90.imageshack.us/img90/7315/search3rv9.png

Step 4)

And press go :)



Easy?

Your funny...

I already done that (or i wouldnt of posted this thread if i didnt) and cant find... :l

Have you even seen the amount of results you get for it? Even using the advanced version and limit the results you have to go though pages and pages of results before you find what you want.

was it that one that stop using the text like UPDATE , INSERT and all that??

yea, it was VistaBoy

redtom, yes i did.

was it that one that stop using the text like UPDATE , INSERT and all that??
yea, it was VistaBoy
yes i was looking for that one the other day but i can not seem to find it a well :S

Its a shame i cleared my History or i would of found it

You'd just need a function that ran all the input through mysql_real_escape_string. That filters out anything that may effect an SQL query.

function clean($str)
{
$str = strip_tags(addslashes(stripslashes(htmlspecialchar s($str))));
$str = mysql_real_escape_string($str);
}


is the one i usually use.

Hmm, thanks, but I'm still in the search for the one with the MySQL stuff

Hmm, thanks, but I'm still in the search for the one with the MySQL stuff

That is the MySQL stuff. Anything else is completely unnecessary.

i saw it int he thread which stopped the UPDATE tag etc

But theoretically, wouldn't you be using the UPDATE statement in some of your queries? If you weren't, just don't give the MySQL user your application is running under access to that function.

mysql_real_escape_string, along with other safeguards like sprintf will prevent any SQL being run via form inputs. There isn't a need for anything else.

SQL Injections

Obviously you're safeguarding against SQL injections. I wasn't expecting you to type in something like DROP database_name into your script :P

mysql_real_escape_string safeguards against SQL injections. You don't need another alternative, as it probably does exactly the same as the function you saw, if not more, with less server resources being taken up.

ok, thanks :D ill be showing the public the script i made soon :P