www.webdeveloper.com
Results 1 to 5 of 5

Thread: Cleaning user input

  1. #1
    Join Date
    Nov 2004
    Posts
    52

    Cleaning user input

    Hi,

    I have input and output functions .. What else should I have within these functions to clean user input, then reverse it when its echoed to the screen


    ValidateInput:

    PHP Code:
    function ValidateInput($value) {
    $value mysql_real_escape_string(strip_tags(trim($value))); 
    return 
    $value


    ValidateOutput:

    PHP Code:
    function ValidateOutput($value) {
    $value stripslashes(nl2br($value));
    return 
    $value;


    Thanks

  2. #2
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    18,926
    It's probably a good idea to check whether or not "magic quotes" are turned on, and compensate if they are. This is the function I normally use to "sanitize" inputs for database usage:
    PHP Code:
    function sanitize($value)
    {
       
    $value trim($value);
       if(
    get_magic_quotes_gpc())
       {
          
    $value stripslashes($value);
       }
       if(!
    is_numeric($value)) // only need to do this part for strings
       
    {
          
    $text = @mysql_real_escape_string($value);
          if(
    $text === FALSE)  // we must not be connected to mysql, so....
          
    {
             
    $text mysql_escape_string($value);
          }
          
    $value "'$text'";
       }
       return(
    $value);

    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  3. #3
    Join Date
    Jan 2011
    Posts
    1
    Hi, NodDog
    I test your nice clean input But see two problem and error!!

    1-
    Code:
    Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in .. . ..
    Line error :
    PHP Code:
    $sql=mysql_query("select username,email from members where (username='$username' or email='$email')");
    $rst=mysql_fetch_array($sql); 
    My data
    PHP Code:
    $username=sanitize($_REQUEST["username"]); 
    //etc..... 
    2 - not insert any data in mysql database .
    PHP Code:
    $sql="INSERT INTO members (name,lname,fname) VALUES('$username','$lname','$fname') " 
    Problem Is With red color :

    PHP Code:
     $value "[COLOR="Red"]'[/COLOR]$text[COLOR="red"]'[/COLOR]"
    Thanks for advanced.

  4. #4
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    18,926
    That sanitize() function wraps the result in quotes if it is not numeric, so you do NOT want to use quotes in your query string around those sanitized variables.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  5. #5
    Join Date
    Nov 2008
    Location
    Atlanta, GA
    Posts
    64
    Use mysql_real_escape_string (mysql_escape_sting is deprecated) when you are inserting into a db. It requires a mysql connection (so that it can identify the correct char set).

    Code:
    $value = mysql_real_escape_string(trim($value));
    There is no need to unescape mysql_real_escape_string when you are outputting, but you should use htmlspecialchars and/or strip_tags to protect against xss.

    Code:
    $echo htmlspecialchars($value);
    Either way I would recommend validating the input before you sanitize it.

    And, personally, I prefer PDO for db interaction as prepared statements will sanitize the input for you.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles