https://stackoverflow.com/questions/22131599
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianThere's no way for us to tell if that solves the issue, because we don't see how you the application code is using the $_GET, $_POST and $_REQUEST variables. It might actually break other uses of the request variables to force them all to have escaping.
- You might use them as unquoted numeric values in SQL, instead of as quoted string or date literals. Escaping doesn't help unless you're quoting the values in SQL.
- You might use them as column names, SQL keywords, etc. Escaping is only for strings and dates, it doesn't escape the back-tick.
- You might not use them in SQL at all. You might use them for some other function argument, or in a
casestatement or as an associative array key, etc.
Basically, you're trying to do the same thing that magic quotes used to do, but magic quotes was deprecated because it's a bad idea to have a one-size-fits-all solution for security. It's just based on too many assumptions that turn out not to be true.
The proper solution (if you must stick with ext/mysql for now) is to apply filtering or escaping to request variables as you use them in SQL.
Of course it's best to upgrade to ext/mysqli or PDO, and use query parameters. But I realize this is a lot more work to adapt a large codebase to a new API, and you're looking for what you can do short-term.
You might also look at mod_security, which can help you filter out suspicious patterns of request variables without changing any PHP code at all. But it's also a lot of work to design mod_security rules that will work for your app without blocking legitimate requests.
