Removing sql injection

[Klown]

I don't know about you guys. But i hate phps extremely long function names. so i wrote a small func to quickly remove harmful injection from any variable i send into a mysql_query. if you guys dont use the stripslashes it can simply be removed from the func and you can just use the real escape string.

its extremely simple but hope it helps some of you who might want a shortcut.

Code: Select all

/*REMOVE SQL INJECTION*/
function safe($var){
$var = stripslashes($var);
return mysql_real_escape_string($var);
}

-klown

[Xaleph]

The downside to this function is you need a persistent mysql database connection. If you have another ( or no ) database system, this function will throw a fatal error, which sucks.

[Klown]

yea i guess so. im making a game which connects to db and the user plays the game, i dont close the connection, so i wouldnt think it will hurt anything. but ive only tested it on local host on my own, and have not had any problems. If there is a better way or another simple way im open to suggestions, since its easy to find/replace the function.

[Jackolantern]

Can't this function simply be used once a connection is opened? The data could then be queried and the connection could be immediately closed. I guess I am unclear on why this requires a persistent connection.

@Klown:
Persistent connections can oftentimes be bad, as the database can only handle so many connections. While a game running on any kind of shared hosting would likely run into other bottlenecks before the amount of db connection became an issue, it is still a limit on scalability.

[Klown]

since im new to this whole php/mysql thing i guess ill ask a few questions which will help save me some headache in the future.
1.) Since i am calling this safe function just after i receive the info from the user of the game, and im then passing the safe variable into a query to save to db, doesnt that fall between a connection to the db?

2.) Since ive not closed my db connections on any of my code thus far. Where is it recommended to close a db connection? at the end of each page of code? or after each query? FYI: I made a file i call: inc_connect.php which has my server,name,pass and connection code to mysql which i include on each page of my game at the top with the other include files i use sometimes.

Thanks in advance for any info you can help with.

-klown

[Jackolantern]

It isn't always a critical as it seems. The connection closes at the end of each script. Since scripts take in the time frame of milliseconds to execute, opening and closing a database connection only as needed in the script will also shave off in the realm of milliseconds. Of course, if you have a highly trafficked site, wrapping queries in custom open/close function calls can shave off 50% or more of the connection time, which can mean a lot.

[Klown]

very informative. I appreciate the info. 1 other question would be. if you were to close the connection after each query, then have to reestablish the connection just before the next query also use up processor power and cost time saved by closing the connection... or am i on the wrong track of thinking here?

-Klown

[Jackolantern]

Database connections are not about CPU speed, but rather, the limited connection resources of your database. The minuscule amount of CPU to open and close a connection is likely trivial if your website becomes highly trafficked compared to having tons of open and unused database connections.