Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
POS410 SQL sanitizer example
<?php
class Mysql {
static public function query(){
$args = func_get_args();
return mysql_query(call_user_func_array(array("self", "queryf"), $args));
}
static public function queryf(){
$args = func_get_args();
$query = array_shift($args);
return vsprintf($query, array_map("mysql_real_escape_string", $args));
}
}
# example usage: query user login
$email = "Robert O'Malley";
$password = "helloWorld11";
echo Mysql::queryf("SELECT * FROM users WHERE email='%s' AND password='%s';", $email, $password);
// => SELECT * FROM users WHERE email='Robert O\'Malley' AND password='helloWorld11';
# exapmle usage: sql injection
$email = "'; DROP TABLE users; -- ";
$password = "";
echo Mysql::queryf("SELECT * FROM users WHERE email='%s' AND password='%s';", $email, $password);
// => SELECT * FROM users WHERE email='\'; DROP TABLE users; -- ' AND password='';
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.