pck76 Posted June 6, 2009 Share Posted June 6, 2009 Hi All, I was trying to write a function able to sanitise user input, to be used in a registration form. So far I came up with the following: if(isset($_POST['submit'])){ // strip malicious code if(get_magic_quotes_gpc()) { $_POST = array_map('stripslashes', $_POST); } $_POST = array_map('trim', $_POST); $_POST = array_map('mysql_real_escape_string', $_POST); $_POST = array_map('strip_tags', $_POST); This is supposed to sanitise all fields in the $_POST variable, but I'm sure I'm forgetting something else. can you please advise? Thanks Patrick Link to comment https://forums.phpfreaks.com/topic/161179-sanitise-user-input/ Share on other sites More sharing options...
gevans Posted June 6, 2009 Share Posted June 6, 2009 Remember you have to have a db connection to use mysql_real_escape_string. Link to comment https://forums.phpfreaks.com/topic/161179-sanitise-user-input/#findComment-850525 Share on other sites More sharing options...
.josh Posted June 6, 2009 Share Posted June 6, 2009 that does nothing to validate contextual/semantic data. For example, if you have a phone number form field and your db column is a number type column but user enters in letters, you're going to have problems. Link to comment https://forums.phpfreaks.com/topic/161179-sanitise-user-input/#findComment-850529 Share on other sites More sharing options...
pck76 Posted June 6, 2009 Author Share Posted June 6, 2009 @ gevans to use mysql_real_escape_string the connection needs to be already open? @ Crayon You're right, and probably I wasn't very clear - the purpose of that function is only to make sure the input is safe (eg. no sql injections, XSS attacks etc); the data validation is in another function. Link to comment https://forums.phpfreaks.com/topic/161179-sanitise-user-input/#findComment-850560 Share on other sites More sharing options...
.josh Posted June 6, 2009 Share Posted June 6, 2009 @ gevans to use mysql_real_escape_string the connection needs to be already open? yes. That function looks at settings in the db to determine what/how to escape (things). Link to comment https://forums.phpfreaks.com/topic/161179-sanitise-user-input/#findComment-850562 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.