Jump to content

Suggestions and opinions on my sanitize function


rk8479

Recommended Posts

In my DB class i have a function to do a simple sanitize operation.

 

The function does three things: 

 

1. checks weather the input variable is a integer, if it is then it gets the int value of the variable and returns it.

 

2. checks weather the input variable is a string, if it is then it escapes it and returns it.

 

3. if it is neither an integer or a string then the variable is unset and returns a "Variable deleted" message.

function sanitizeData($dbc, $input){
        
        if(is_int($input)){
            $input = intval($input);
            return $input;
        } elseif(is_string($input)){
            $input = mysqli_real_escape_string($dbc, $input);
            return $input;
        } elseif(!is_int($input) OR !is_string($input)){
            unset($input);
            return "Variable contents unknown, variable deleted!";
        }
    }

I wanted other peoples ideas, opinions and suggestions on this function and what you think of it :)

 

Thanks

Link to comment
Share on other sites

1. If it's already an integer what's the need to cast it to an integer?

2. If you use prepared statements in mysli or PDO all escaping and testing will be done for you.

3.You can't unset the passed var from inside the function and why would you?  What if it's a float?.

 

So far as I know there is really no need for sanitization functions if you use the newer libraries, unless you have specialized sanitization like stripping HTML or Javascript or portions thereof, etc. 

Edited by AbraCadaver
Link to comment
Share on other sites

also, the is_int and is_string functions test the type of the variable, not what's in them.

 

you can have a string variable that contains a number (all $_POST/$_GET variables are strings variables, no matter what they contain.)

 

and you could have a value that looks like a number, such as a phone number or a zip code that only contains numerical characters, but it is actually a string (with things like leading zero's) that if you treat it as a number in your code, it will be altered and won't have the same meaning as the value that was entered.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.