I am doing a lot of CRUD (Create, Read, Update, Delete) on a site I am building for my company. I want to be sure and prevent both sql injection and XSS. I have been reading some books on the matter and found this bit of code. What do you think, good?
[code=php]<?php
$user = mysql_entities_fix_string($_POST[‘user’]);
$pass = mysql_entities_fix_string($_POST[‘pass’]);
$query = “SELECT * FROM users WHERE user=’$user’ AND pass=’$pass'”;
function mysql_entities_fix_string($string)
{
return htmlentities(mysql_fix_string($string));
}
function mysql_fix_string($string)
{
if (get_magic_quotes_gpc()) $string = stripslashes($string);
return mysql_real_escape_string($string);
}
?>
I have been looking over it for awhile and understand it for the most part, except, it refers to the variable $string. I don’t see how the variable $string is at all referenced in:
[code=php]$user = mysql_entities_fix_string($_POST[‘user’]);
$pass = mysql_entities_fix_string($_POST[‘pass’]);
Any help understanding how the variable $string is referenced would be appreciated.