Sanitise User input

[pck76]

Hi All,

 

I was trying to write a function able to sanitise user input, to be used in a registration form.

 

So far I came up with the following:

 

if(isset($_POST['submit'])){

// strip malicious code
if(get_magic_quotes_gpc()) {
	$_POST = array_map('stripslashes', $_POST);
} 
$_POST = array_map('trim', $_POST);
$_POST = array_map('mysql_real_escape_string', $_POST);
$_POST = array_map('strip_tags', $_POST);

 

This is supposed to sanitise all fields in the $_POST variable, but I'm sure I'm forgetting something else. can you please advise?

Thanks

Patrick

[gevans]

Remember you have to have a db connection to use mysql_real_escape_string.

[.josh]

that does nothing to validate contextual/semantic data.  For example, if you have a phone number form field and your db column is a number type column but user enters in letters, you're going to have problems. 

[pck76]

@ gevans

 

to use mysql_real_escape_string the connection needs to be already open?

 

@ Crayon

You're right, and probably I wasn't very clear - the purpose of that function is only to make sure the input is safe (eg. no sql injections, XSS attacks etc); the data validation is in another function.

 

[.josh]

@ gevans

 

to use mysql_real_escape_string the connection needs to be already open?

 

 

yes.  That function looks at settings in the db to determine what/how to escape (things).