[SOLVED] Sanitizer

[Lambneck]

which of the following would be a more preferable/effective way to sanitize posts?

 

<?php
function clean($str) {
	$str = @trim($str);
	if(get_magic_quotes_gpc()) {
		$str = stripslashes($str);
	}
	return mysql_real_escape_string($str);
}

//Sanitize the POST values
$login = clean($_POST['login']);

 

or

 

<?php
function check_input($data, $problem='')
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    if ($problem && strlen($data) == 0)
    {
        show_error($problem);
    }
    return $data;
}

//Sanitize the POST values
$login = check_input($_POST['login']);

[JonnoTheDev]

Not that much diff between the two. You may also want to make use of the strip_tags() function to prevent HTML posts

[Lambneck]

Like this?:

 

<?php
function check_input($data, $problem='')
{
    $data = strip_tags($data);
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    if ($problem && strlen($data) == 0)
    {
        show_error($problem);
    }
    return $data;
}

 

srry, just started learning about this.

[JonnoTheDev]

This function is used for displaying data back to the screen as opposed to lets say inserting into a database:

$data = stripslashes($data);

If you are inserting the post data into a database table then you require

mysql_real_escape_string()

to escape any special characters

[Lambneck]

yes, i am posting data to database.

so instead of using stripslashes use mysql_real_escape_string()?

 

stripslashes:

<?php
function check_input($data, $problem='')
{
    $data = strip_tags($data);
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    if ($problem && strlen($data) == 0)
    {
        show_error($problem);
    }
    return $data;
}

 

like this?:

 

mysql_real_escape_string:

<<?php
function check_input($data, $problem='')
{
    $data = strip_tags($data);
    $data = trim($data);
    $data = mysql_real_escape_string($data);
    $data = htmlspecialchars($data);
    if ($problem && strlen($data) == 0)
    {
        show_error($problem);
    }
    return $data;
}

 

 

 

[xoligy]

you could do $data = mysql_real_escape_string(trim(strip_tags(htmlspecialchars($data))); its how i do mine anyway lol

 

<?php
function check_input($data, $problem='')
{
    $date = mysql_real_escape_string(trim(strip_tags(htmlspecialchars($data)));
    if ($problem && strlen($data) == 0)
    {
        show_error($problem);
    }
    return $data;
}
?>

[JonnoTheDev]

Also long as you have a database connection open you can use it. If you are cleaning the data and then sending it back to the screen - lets say a user has forgot to enter their email address into your form but they have entered their firstname and lastname, you are not going to make the enter them again so you will send the cleaned data back to the user in the appropriate fields. However you probably dont want to escape data at that point as it will look funny to the user if like David O\'Leary, only when inserting into the database i.e.

 

mysql_query("INSERT INTO table SET firstname='".mysql_real_escape_string($firstname)."'");

 

Having a Mysql wrapper class is always useful as you can implement this into a query method so data is always escaped.

 

 

[Lambneck]

thanks xoligy,

that helps a lot.

 

neil,

im not sure what a mysql wrapper class is yet but thanks to you anyway.