Jump to content

trim/addslash/strip_tag for a form input variable

vijdev

By vijdev
in PHP Coding Help

 Share

Recommended Posts

vijdev Regular Member

vijdev

Posted
Posted

is this an overkill of functions, or is it good?..is there any redundancy, or is it falling short in anyway??

am getting the name from a form:

$name=trim(addslashes(strip_tags($_POST['name'])));

 

(once above is done, then $name is passed thru a regex test and lastly ofcourse am also doing a mysql_real_escape($name) before dumping into the DB - am sure of these two activities, but not the trim/addslash/striptag)

jcbones Newbie

jcbones

Posted
Posted

If you are using mysql_real_escape_string() there is no need to addslashes.  Trim takes away whitespace from the ends, and strip_tags strips out any HTML. 

 

If you are checking by regex, you could eliminate all three of those functions.

$pattern = '~[^A-Za-z]~';  //Allow only alpha characters.  This gets rid of whitespace, or HTML brackets, or quotes, commas, dashes, etc.
$name = preg_replace($pattern,'',$_POST['name']);

 

Lastly, I would pass it through mysql_real_escape_string().  This will add slashes for the DB, just like you stated.

mrMarcus Member

mrMarcus

Posted
Posted

If you are using mysql_real_escape_string() there is no need to addslashes.  Trim takes away whitespace from the ends, and strip_tags strips out any HTML. 

 

If you are checking by regex, you could eliminate all three of those functions.

$pattern = '~[^A-Za-z]~';  //Allow only alpha characters.  This gets rid of whitespace, or HTML brackets, or quotes, commas, dashes, etc.
$name = preg_replace($pattern,'',$_POST['name']);

 

Lastly, I would pass it through mysql_real_escape_string().  This will add slashes for the DB, just like you stated.

 

It will add slashes to what?  You have just stripped everything out other than the alphabet.  mysql_real_escape_string() would be a waste of time.

mrMarcus Member

mrMarcus

Posted
Posted

it will add slashes to ' and "

so this:

'

will be:

\'

I was referring to running a regex against a value such as the one previously described would prove escaping characters redundant.

 

For example:

 

<?php
$some_var = "John's special variable";

$stripped = preg_replace('/([^a-z\s]+)/i', '', $some_var); //$stripped = Johns special variable
?>

 

So, after using preg_replace, the need to escape any characters is not needed as the single quote was removed (replaced).

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.