0

I'd like to use a variable like $GET[name] that always outputs a MySQL-safe version of $_GET[name], even if the value of $GET[name] changes somewhere in the script.

So:

$_GET[name] = "Timmy O'Toole";
echo $GET[name]; // Timmy O\'Toole
$_GET[name] = "Tommy O'Toole"; 
echo $GET[name]; // Tommy O\'Toole

Is this doable? If not, can you think of any other way that might work that doesn't involve an actual function call? (I'd like to be able to use the variables inside strings and have them automatically evaluate, rather than having to do a whole lot of concatenation.)

Update:

I used a version of mario's solution, and it seems to work:

// Assume $_REQUEST['name'] = "Timmy O'Toole";

class request_safe_vars IMPLEMENTS ArrayAccess {
    var $array = array();
    function offsetGet($varname) {
        return mysql_real_escape_string($_REQUEST[$varname]);        
    }
    function offsetSet($name, $value) { }  
    function offsetUnset($name) { }
    function offsetExists($name) { }
}  

$REQUEST = new request_safe_vars();

$_REQUEST['name'] = $_REQUEST['name'].' MODIFIED';

$query = "SELECT id FROM user WHERE name = '{$REQUEST['name']}'";  

// Query output:
// SELECT id FROM user WHERE name = 'Timmy O\'Toole MODIFIED'
Improve this question
2
  • 1
    Tip: If you're able to reference a string array key without PHP complaining, your error level is too low for you to safely develop code. Please include these two statements at the top of your code, they will help you locate and find many lurking problems: ini_set('display_errors',true); error_reporting(-1); Commented Mar 13, 2011 at 3:11
  • Is that a reference to The Simpsons? Commented Mar 13, 2011 at 3:25

3 Answers 3

Reset to default
3

You don't want to do this.

Rather, the thing you're trying to do -- ensure that the database gets only sane values -- is correct, but the way you're going about it is a bad approach.

Instead of escaping all input as it comes in, you should escape it when you use it by choosing a database adapter that has this functionality built in. PDO is a great example of such a database adapter. PDO uses prepared statements and parameter binding to automatically escape and quote input. Here's an example that binds placeholders at execution time:

$statement = $pdo->prepare('SELECT id FROM users WHERE name = ?');
$statement->execute(array( $_GET['name'] ));
if($statement->rowCount() > 0) {
    echo "I found you!";
} else {
    echo "You don't exist. :(";
}

Prepared statements with placeholders and binding is the most sane and safe way to ensure that SQL is safe from attack.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

What I'm trying to do is find a just-as-safe alternative to prepared statements. As far as I know, "SELECT id FROM users WHERE name = '".mysql_real_escape_string($_GET['name'])."'" should be reasonably secure -- but I'd rather be able to do something like "SELECT id FROM users WHERE name = {$GET['name']}" and have the variable $GET['name'] act as if it's a function that returns the mysql_real_escape_string value.
Prepared statements are the industry-standard solution to this problem. There are lots of "alternatives" that happen to be just as safe, but that's because they emulate the same process, and usually have the same general prepare-bind-execute interface. You'll be just as well off using the real thing instead of using a knockoff, or worse, building a custom solution.
1

That's doable with an object that implements ArrayAccess. By turning $GET into an object you can have a magic offsetSet and offsetGet method which can accomplish this.

class safe_vars IMPLEMENTS ArrayAccess {
    var $array = array();

    function offsetGet($varname) {
        return mysql_real_escape_string($this->array[$varname]);
    }

    function offsetSet($name, $value) {  
        $this->array[$name] = $value;
    } 

    function offsetUnset($name) {  }
    function offsetExists($name) {  }
}

This is how you would use it:

$GET = new safe_vars();
$GET["name"] = "Timmy O'Toole";
echo $GET["name"]; // Timmy O\'Toole

I actually have something similar (but never implemented the set part) which specifically works on $_GET (as listed in your question). http://sourceforge.net/p/php7framework/svn/60/tree/trunk/php7/input.php?force=True - It can be configured to apply the sql filter per default for example. Though that approach feels a bit like magic_quotes even if it uses the correct escaping function.

Improve this answer

Comments

0

First off, put quotes around 'name' unless you purposely define it as a constant.

Another suggestion would be to use a DB wrapper class such as PDO, mysqli, or your own, and use prepared statements and have the input escaped for you. This has the benefit of escaping data at the last possible time, which is optimal. Either that or you can create a very simple wrapper function, e.g.

function get($key) {
   return isset($_GET[$key]) : mysql_real_escape_string($_GET[$key]) : null;
}

The problem with defining a class (unless you use it only statically) is that this strips $_GET of its superglobal status and you are forced to use either globals (evil) or pass all get arguments to local closures.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.