alexweber15 Posted October 13, 2008 Share Posted October 13, 2008 this is what i usually but im sure theres better ways of doing it: function clean(&$val){ trim(strip_tags(htmlspecialchars($val))); } im sure addslashes() or mysql_real_escape_string() should be there somewhere but im not sure... someone comment please? -Alex Quote Link to comment Share on other sites More sharing options...
waynewex Posted October 13, 2008 Share Posted October 13, 2008 IMHO, there's no need to use strip tags AND htmlspecialchars() Try: function clean($string){ //See if magic quotes is turned on. I hate magic quotes and so should you. if(get_magic_quotes_gpc() == 1){ $string = stripslashes($string); //get rid of nasty slashes if magic quotes are on } $string = htmlentities($string,ENT_QUOTES,"utf-8"); //convert input into friendly characters to stop XSS $string = mysql_real_escape_string($string); //stop h4x0r from putting SQL in return $string; //return a lovely clean string that you could bring home to your mother } Quote Link to comment Share on other sites More sharing options...
alexweber15 Posted October 13, 2008 Author Share Posted October 13, 2008 thanks! shouldn't I trim() it? at any point?? and also, when would i use htmlentities() vs htmlspecialchars() ... thanks! Quote Link to comment Share on other sites More sharing options...
DarkWater Posted October 13, 2008 Share Posted October 13, 2008 I'd personally create a recursive function to clean entire arrays (even arrays of arrays and such): <?php function clean_recursive($value) { if (is_array($value)) { foreach($value as $k=>$v) { $value[$k] = clean_recursive($v); } } else { if(get_magic_quotes_gpc() == 1){ $value = stripslashes($value); } $value = htmlentities($value,ENT_QUOTES,"utf-8"); //convert input into friendly characters to stop XSS $value = mysql_real_escape_string($value); } return $value; } $do = clean_recursive(array('somet"h"\'in"g', 'lol"', array('l\'ol'))); print_r($do); Tested and works. Quote Link to comment Share on other sites More sharing options...
alexweber15 Posted October 13, 2008 Author Share Posted October 13, 2008 Thanks again DarkWater! questions still remain: thanks! shouldn't I trim() it? at any point?? and also, when would i use htmlentities() vs htmlspecialchars() ... thanks! Quote Link to comment Share on other sites More sharing options...
DarkWater Posted October 13, 2008 Share Posted October 13, 2008 Yeah, you might as well use trim(). And htmlentities() changes more characters than htmlspecialchars(). Quote Link to comment Share on other sites More sharing options...
alexweber15 Posted October 13, 2008 Author Share Posted October 13, 2008 Yeah, you might as well use trim(). And htmlentities() changes more characters than htmlspecialchars(). so this is what the new uber function looks like: <?php function clean_recursive($value) { if (is_array($value)) { foreach($value as $k=>$v) { $value[$k] = clean_recursive($v); } } else { if(get_magic_quotes_gpc() == 1){ $value = stripslashes($value); } $value = trim(htmlspecialchars($value,ENT_QUOTES,"utf-8")); //convert input into friendly characters to stop XSS $value = mysql_real_escape_string($value); } return $value; } //test $do = clean_recursive(array('somet"h"\'in"g', 'lol"', array('l\'ol'))); print_r($do); any objections? Quote Link to comment Share on other sites More sharing options...
DarkWater Posted October 13, 2008 Share Posted October 13, 2008 Looks pretty good. Keep in mind that this should only need to be run ONCE for any array: <?php $_POST = clean_recursive($_POST); ?> That's all you'd need to clean POST. Quote Link to comment Share on other sites More sharing options...
alexweber15 Posted October 13, 2008 Author Share Posted October 13, 2008 gotcha! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.