foreach () with if

[Miss-Ruth]

In the code I want to proceed to the next step only after stripslashes and strip_tags are completed. How do I put the code below with if?

 

$stripped = array('name', 'location', 'bio');

foreach ( $_POST as $k => $v ) {
    if ( in_array($k, $stripped) ) {
        ${$k} = strip_tags($v);
    }
} 

foreach ( $_POST as $p => $q ) {
    if ( in_array($p, $stripped) ) {
        ${$p} = stripslashes($q);
    }
}

 

Thanks,

Ruth.

[Adam]

Why are you looping through the array twice, and not just applying strip_tags() and addslashes() in the same loop? Anything you do after the loop(s) with the $_POST data will have been escaped, there's no need to use an IF conditional.

 

FYI

It's highly recommended to use DBMS specific escape function (e.g. mysqli_real_escape_string() for MySQL or pg_escape_string() for PostgreSQL)' date=' but if the DBMS you're using does't have an escape function and the DBMS uses \ to escape special chars, you can use this function.[/quote']

http://uk.php.net/manual/en/function.addslashes.php

[Miss-Ruth]

$stripped = array('name', 'location', 'bio');

foreach ( $_POST as $k => $v ) {
    if ( in_array($k, $stripped) ) {
        ${$k} = strip_tags($v);
        ${$k} = htmlentitiess($v);
        ${$k} = stripslashes($v);
    }
}

 

Thanks.

 

I'm curious. Why is't it bocking the bold tags <b>? I can pass bold tags via this code! it's supposed to remove them. also I can pass \\ \n, \t, %0A...

[Adam]

I didn't notice you were declaring variable variables before. Your problem is you're declaring ${$k} as a new variable each time you pass $v through one of the functions. Try this:

 

        $v = strip_tags($v);
        $v = htmlentitiess($v);
        ${$k} = stripslashes($v);

 

That will keep overwriting $v and then store the result with all 3 functions applied into ${$k} - although I should stress, escaping input data should be done on a per-input basis. Also, you should only apply htmlentities() when you're outputting the data - not while you're processing the data. I'd also suggest using the DBMS specific escpaing function as mentioned in my last post, at the point you insert the data into the database.

[Miss-Ruth]

Thanks that solved my problem.

 

One more thing, I was asked to use these 3 functions along with perg_match to avoid email injection /Hijacking. Is that sufficient? I came across something called quote() function which is also useful to prevent hijacking. BUt I'm not sure how to use it.

 

DB interface class exposes some sort of quote() function

 

I appreciate if you could share your knowledge in preventing these type of attacks.

 

Thanks,

Ruth.

[Adam]

If you're using PHP version > 5, you can use filter_var to validate an email:

 

if (filter_var($email, FILTER_VALIDATE_URL)) {

 

If < 5, just search around on Google for a regex to validate email addresses (just make sure it uses preg_match, not ereg).

 

quote() is not a standard PHP function, at a guess I'd say you're referring to the PDO extension's quote() method.

[Miss-Ruth]

Thanks for your support Adam!

 

Ruth.