jalmz Posted November 8, 2011 Share Posted November 8, 2011 Hi guys, do you have any idea on how to sanitize this code? using FILTER_SANITIZE_STRING; FILTER_VALIDATE_IP and ect? Thanks <form action="rnrequest.php" method="POST"> <table class="txt2"> <tr><td >Song title: </td><td><input type="text" name="song" value="" class=".texta"></td></tr> <tr><td>Artist: </td><td><input type="text" name="artist" value=""></td></tr> <tr><td>Your name: </td><td><input type="text" name="name" value=""></td></tr> <tr><td>Greetings: </td><td><textarea name="greetings"></textarea></td></tr> </table> <input type="submit" name="submit" value="Send"> </form> </div> <?php if (isset($_POST['submit'])) { if (empty($_POST['name'])) { echo "Sorry, you haven't supplied your name<br />"; $reg = "no"; } $sql = "SELECT COUNT(*) FROM request_song WHERE ip='{$ip}'"; $result = mysql_query($sql); if (mysql_result($result, 0) > 0) { echo "Sorry, You already wished for one song, you cannot request for another until the DJ's have seen your request..<br />"; $reg = "no"; } if ($reg == "yes") { $dt2=date("Y-m-d H:i:s"); $sql = "INSERT INTO request_song(song, artist, name, greetings, ip, date) VALUES('{$_POST['song']}', '{$_POST['artist']}', '{$_POST['name']}', '{$_POST['greetings']}','{$ip}', '$dt2')"; mysql_query($sql); } } ?> Link to comment https://forums.phpfreaks.com/topic/250672-how-to-sanitize-this-code/ Share on other sites More sharing options...
joel24 Posted November 8, 2011 Share Posted November 8, 2011 yeah, FILTER_SANITIZE_STRING or mysql_real_escape_string(): have a look around on google or search through the forum topics, there are many different ways to do this. Link to comment https://forums.phpfreaks.com/topic/250672-how-to-sanitize-this-code/#findComment-1286137 Share on other sites More sharing options...
watsmyname Posted November 8, 2011 Share Posted November 8, 2011 Hi <?php function sanitize($var,$sanitize='1') { //sanitizing $var = str_replace("\\","",$var); if($sanitize=='1') { if(function_exists("filter_var")) { $returnvar=filter_var($var, FILTER_SANITIZE_STRING); }else{ $returnvar=$var; } }else{ $returnvar=$var; } if(!get_magic_quotes_gpc()){ $returnvar=addslashes($returnvar); } //using mysql reql escape string if(function_exists("mysql_real_escape_string")) { $returnvar=mysql_real_escape_string($returnvar); }else{ $returnvar=addslashes($returnvar); } return $returnvar; } ?> You use function like this <? $name=santize($_POST["name"]); ?> Hope this helps watsmyname Link to comment https://forums.phpfreaks.com/topic/250672-how-to-sanitize-this-code/#findComment-1286143 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.