Miss-Ruth Posted December 10, 2010 Share Posted December 10, 2010 In the code I want to proceed to the next step only after stripslashes and strip_tags are completed. How do I put the code below with if? $stripped = array('name', 'location', 'bio'); foreach ( $_POST as $k => $v ) { if ( in_array($k, $stripped) ) { ${$k} = strip_tags($v); } } foreach ( $_POST as $p => $q ) { if ( in_array($p, $stripped) ) { ${$p} = stripslashes($q); } } Thanks, Ruth. Quote Link to comment Share on other sites More sharing options...
Adam Posted December 10, 2010 Share Posted December 10, 2010 Why are you looping through the array twice, and not just applying strip_tags() and addslashes() in the same loop? Anything you do after the loop(s) with the $_POST data will have been escaped, there's no need to use an IF conditional. FYI It's highly recommended to use DBMS specific escape function (e.g. mysqli_real_escape_string() for MySQL or pg_escape_string() for PostgreSQL)' date=' but if the DBMS you're using does't have an escape function and the DBMS uses \ to escape special chars, you can use this function.[/quote'] http://uk.php.net/manual/en/function.addslashes.php Quote Link to comment Share on other sites More sharing options...
Miss-Ruth Posted December 10, 2010 Author Share Posted December 10, 2010 $stripped = array('name', 'location', 'bio'); foreach ( $_POST as $k => $v ) { if ( in_array($k, $stripped) ) { ${$k} = strip_tags($v); ${$k} = htmlentitiess($v); ${$k} = stripslashes($v); } } Thanks. I'm curious. Why is't it bocking the bold tags <b>? I can pass bold tags via this code! it's supposed to remove them. also I can pass \\ \n, \t, %0A... Quote Link to comment Share on other sites More sharing options...
Adam Posted December 10, 2010 Share Posted December 10, 2010 I didn't notice you were declaring variable variables before. Your problem is you're declaring ${$k} as a new variable each time you pass $v through one of the functions. Try this: $v = strip_tags($v); $v = htmlentitiess($v); ${$k} = stripslashes($v); That will keep overwriting $v and then store the result with all 3 functions applied into ${$k} - although I should stress, escaping input data should be done on a per-input basis. Also, you should only apply htmlentities() when you're outputting the data - not while you're processing the data. I'd also suggest using the DBMS specific escpaing function as mentioned in my last post, at the point you insert the data into the database. Quote Link to comment Share on other sites More sharing options...
Miss-Ruth Posted December 10, 2010 Author Share Posted December 10, 2010 Thanks that solved my problem. One more thing, I was asked to use these 3 functions along with perg_match to avoid email injection /Hijacking. Is that sufficient? I came across something called quote() function which is also useful to prevent hijacking. BUt I'm not sure how to use it. DB interface class exposes some sort of quote() function I appreciate if you could share your knowledge in preventing these type of attacks. Thanks, Ruth. Quote Link to comment Share on other sites More sharing options...
Adam Posted December 10, 2010 Share Posted December 10, 2010 If you're using PHP version > 5, you can use filter_var to validate an email: if (filter_var($email, FILTER_VALIDATE_URL)) { If < 5, just search around on Google for a regex to validate email addresses (just make sure it uses preg_match, not ereg). quote() is not a standard PHP function, at a guess I'd say you're referring to the PDO extension's quote() method. Quote Link to comment Share on other sites More sharing options...
Miss-Ruth Posted December 10, 2010 Author Share Posted December 10, 2010 Thanks for your support Adam! Ruth. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.