jalmz Posted November 8, 2011 Share Posted November 8, 2011 Hi guys, do you have any idea on how to sanitize this code? using FILTER_SANITIZE_STRING; FILTER_VALIDATE_IP and ect? Thanks <form action="rnrequest.php" method="POST"> <table class="txt2"> <tr><td >Song title: </td><td><input type="text" name="song" value="" class=".texta"></td></tr> <tr><td>Artist: </td><td><input type="text" name="artist" value=""></td></tr> <tr><td>Your name: </td><td><input type="text" name="name" value=""></td></tr> <tr><td>Greetings: </td><td><textarea name="greetings"></textarea></td></tr> </table> <input type="submit" name="submit" value="Send"> </form> </div> <?php if (isset($_POST['submit'])) { if (empty($_POST['name'])) { echo "Sorry, you haven't supplied your name<br />"; $reg = "no"; } $sql = "SELECT COUNT(*) FROM request_song WHERE ip='{$ip}'"; $result = mysql_query($sql); if (mysql_result($result, 0) > 0) { echo "Sorry, You already wished for one song, you cannot request for another until the DJ's have seen your request..<br />"; $reg = "no"; } if ($reg == "yes") { $dt2=date("Y-m-d H:i:s"); $sql = "INSERT INTO request_song(song, artist, name, greetings, ip, date) VALUES('{$_POST['song']}', '{$_POST['artist']}', '{$_POST['name']}', '{$_POST['greetings']}','{$ip}', '$dt2')"; mysql_query($sql); } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/250672-how-to-sanitize-this-code/ Share on other sites More sharing options...
joel24 Posted November 8, 2011 Share Posted November 8, 2011 yeah, FILTER_SANITIZE_STRING or mysql_real_escape_string(): have a look around on google or search through the forum topics, there are many different ways to do this. Quote Link to comment https://forums.phpfreaks.com/topic/250672-how-to-sanitize-this-code/#findComment-1286137 Share on other sites More sharing options...
watsmyname Posted November 8, 2011 Share Posted November 8, 2011 Hi <?php function sanitize($var,$sanitize='1') { //sanitizing $var = str_replace("\\","",$var); if($sanitize=='1') { if(function_exists("filter_var")) { $returnvar=filter_var($var, FILTER_SANITIZE_STRING); }else{ $returnvar=$var; } }else{ $returnvar=$var; } if(!get_magic_quotes_gpc()){ $returnvar=addslashes($returnvar); } //using mysql reql escape string if(function_exists("mysql_real_escape_string")) { $returnvar=mysql_real_escape_string($returnvar); }else{ $returnvar=addslashes($returnvar); } return $returnvar; } ?> You use function like this <? $name=santize($_POST["name"]); ?> Hope this helps watsmyname Quote Link to comment https://forums.phpfreaks.com/topic/250672-how-to-sanitize-this-code/#findComment-1286143 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.