function works on local not on remote

arp1445

arp1445

Member
Messages
47
Reaction score
0
Points
6
hi... I'm using x10's free hosting service...
I wrote a function as below:
PHP: 
function prevent_url_injection($unsafe) {
        // preventing from sql injection by url get method
        $find_eveil_chars = array("'", "\"", "#", "//", "/*", "*/", "--");
        $safe = str_replace($find_eveil_chars, "", $unsafe);
        return $safe;
}

I wrote this function for prevent url injection.
This works fine on my local server... But not working on remote server...
The strange thing is: 1)I created a new php file (for test only) and it works fine on remote server. 2) When I try with my existing files - include it, or wrote function as standalone - it did not worked :(

Can anyone tell me how to fix and whats going on?
Thanks in advance.
 
Last edited:
M

misson

Community Paragon
Community Support
Messages
2,572
Reaction score
72
Points
48
Never write your own SQL escape function. It's too easy to get something wrong and completely unnecessary. The database extensions provide their own functions to prevent SQL injection. In any case, you shouldn't be escaping data, you should be using prepared statements; prepared statement parameters aren't vulnerable to injection.

For an example of how your function gets something wrong, how does it handle the entirely valid name of "O'Neill"?
 
Last edited:
arp1445

arp1445

Member
Messages
47
Reaction score
0
Points
6
misson said:
Never write your own SQL escape function. It's too easy to get something wrong and completely unnecessary. The database extensions provide their own functions to prevent SQL injection. In any case, you shouldn't be escaping data, you should be using prepared statements; prepared statement parameters aren't vulnerable to injection.

For an example of how your function gets something wrong, how does it handle the entirely valid name of "O'Neill"?
Click to expand...

Hmm.. thats interesting... I'll use prepared statements.
But my function was only to get numeric id from GET method... so it wont even show any errors in spite of bad/evil chars from url...

---------- Post added at 08:28 AM ---------- Previous post was at 08:25 AM ----------
descalzo said:
Define "does not work".
Click to expand...
Sorry for my bad English :p *edited*
 
M

misson

Community Paragon
Community Support
Messages
2,572
Reaction score
72
Points
48
When descalzo wrote that he wanted you to define "does not work", it's not because your statement was grammatically incorrect, it's because "does not work" is ambiguous. We can't know how it's not doing what you want. Are you getting an error? Is the function not returning the value you expect for some input? "Does not work" tells us nothing about what's going on. Always state explicitly what you want (or expect) and what you actually get, which includes any error messages.
 
arp1445

arp1445

Member
Messages
47
Reaction score
0
Points
6
ok, sorry - thanks for explanation, I got it!

No error, its like a ghost bug.
function is ok, it passes values correctly - returns values also correctly.
But it should return the cleaned-up value -- its not cleaning up.

Thats where the problem is.
I'm saying is, this function is working fine when I create new php file, for test purpose but not on production mode.
Its very strange.

Thanks.
 
descalzo

descalzo

Grim Squeaker
Community Support
Messages
9,373
Reaction score
326
Points
83
How are you passing/getting the strings? Be specific.

Examples? Does it ever work properly?
 
You must log in or register to reply here.
Top