This class is a PHP class which makes placing SQL queries easier and protects against SQL and XSS Injections. This class uses MySQLi for querying Database.
The first thing that comes to your mind when you see this class may be: “There are many database classes out there so why should I choose your class?“
The answer is really easy:
This PHP class is able to do all the stupid and annoying security things for you. By doing this, the class runs as fast as possible. All not needed overhead was removed and all tricks to make the PHP-Script executing as fast as possible were applied.
The result was a tiny and fast but secure Database-Helper class to make your life easier.
So safe time for the really important and interesting things of coding and do no longer waste time on security things!
There are 47 different tags supported by default but if you want to add some by yourself, no problem:
This class also have got a really easy way to add more and more tags by yourself. Just one function call and you added your own tag.
On this way you are not just able to defend against XSS and SQL Attacks but you are also able to safe much time.
If you want to insert a variable with md5 into your database you do not have to use prepared statements (but you can of course), you can just use “UPDATE table SET pw=?md5” and your variable will be automatically hashed.
You can also use this class as an advanced validator with many built in validations like email checking, url checking, telephone number checking, ...
Just try it, you will miss something when you have tried this class!
In the following you can see basic functions, just a very small piece of the complete class:
/* Set charset which should be used for queries and results*/
/* Place 1 single Query */
// By using the following syntax:
// SELECT * FROM table WHERE val1=?sql or and val2=?sql
// We will be able to guarantee that no SQL-Injection will ever work.
// The PHP-Class will do all the work (escaping, inserting, enclosing with quotes)
"SELECT * FROM table WHERE id=?sql and name=?sql",$id,$name);
/* if you have to escape some guest book entries to prevent XSS Injections,
just use this (this will also prevent SQL-Injections): */
"INSERT INTO table(id,entry) VALUES(NULL,?html)",$_POST['guest_book_entry']);
// There are even more tags, e.g.
// ?md5: converts your value to md5
// ?timestamp: converts your date/time to timestamp
// ?hex: converts your string to hex
// There are at the moment 47 different tags you can use and you can also add
//some by yourself with just one easy function call:
// After doing that your new tag is useable by just doing it this way:
"SELECT * FROM double_hashed WHERE pw_double_hashed=?double_md5",$password);
All available Tags
- sql: uses only real_escape to escape string
- html: encodes all html
- strip_html: strips all html from value
- strip_danger: strips dangerous html from value
- email: only checks if value have got a right email syntax (e.g. “email@example.com” = true)
- name: only checks if a string does not contain invalid chars for name (e.g. “Ben Miller” = true)
- number: only checks if value is a number (can be any number, e.g. “-1.3423e32” = true)
- telephone: only checks if value is a valid telephone number (e.g. “718-838-3586” = true)
- age: only checks if value is bigger than 0 and less than 120
- url: only checks if value is a valid url (e.g. “www.test.de” = true; “http://www.test.de” = true)
- safe_url: only checks if value is a valid secure url (e.g. if your domain name is: “www.mydomain.com” and referer of user was “www.mydomain.com”, then “www.mydomain.com/index” = true, prevents CSRF attacks but just if no one third can post links on your site e.g. in a guestbook. If this is possible have a look at tokens to defeat CSRF)
- date: checks if value is a date, if not it tries to convert it to a date, if not possible it returns false
- time: checks if value is a time, if not it tries to convert it to a time, if not possible it returns false
- datetime: checks if value is a datetime, if not it tries to convert it to a datetime, if not possible it returns false
- timestamp: converts any date/time value to a timestamp by using strtotime
- ip: only checks if value is a valid ipv4 address (e.g. “127.168.1.2” = true)
- hex: converts string to hex string
- float: only checks if value is a float (e.g. “-1.4342e21” = true; “10” = false)
- int: only checks if value is a integer (e.g. “100” = true)
- zipcode_us: only checks if value is a valid us zipcode
- zipcode_ger: only checks if value is a valid german zipcode
- alphanumeric: only checks if value only contains numbers and letters from a to Z (e.g. “Test284test” = true)
- alpha: only checks if value contains only letters from a to Z (e.g. “Test” = true)
- lower: makes value lower case
- upper: makes value upper case
- port: only checks if value is a valid port
- ipv4: only checks if value is a valid ipv4 address (e.g. “127.168.1.2” = true)
- md5: makes value to md5 hash
- crc32: makes value to crc32 hash
- sha1: makes value to sha1 hash
- sha256: makes value to sha256 hash
- hash: makes value to sha256 hash if sha256 is supported otherwise it will get md5
- hash_salted: makes value to sha256 hash with salt if sha256 is supported otherwise it will get md5 hash with salt
- sha512: makes value to sha512 hash
- whirlpool: makes value to whirlpool hash
- adler32: makes value to adler32 hash
- tiger128: makes value to tiger128 hash
- tiger160: makes value to tiger160 hash
- tiger192: makes value to tiger192 hash
- md4: makes value to md4 hash
- length: gets values length
- packedfile: only checks by extension if file is a valid archive (supported: rar|zip|7z|tar|gz|lz|apk|targz|tgz|tarZ|tarbz2|tbz2|tarlzma|tlz|zipx)
- exefile: only checks by extension if file is a exe file
- imgfile: only checks by extension if file is a img file (supported: ico|jpg|tif|gif|png|bmp)
- pdffile: only checks by extension if file is a pdf file
- videofile: only checks by extension if file is a video file (supported: 3gp|3g2|avi|divx|flv|m4v|mov|mp4|mpeg|mpg|ogv|rm|vob|wmv|xvid)
- absolutepath: only checks if a path is an absolute path (e.g. ”/home/user/test.txt” = true)
- bbcode: Converts ,,,,[color],,[size], to HTML-Code and strips all other html tags.
[B]All tags are useable without worrying about XSS or SQL-Injections.[/B][/URL][/center][/u][/i][/b][/LIST]