blepblep Posted August 31, 2012 Share Posted August 31, 2012 Hi, wondering can anyone help me here. I have the following function sanitize - function sanitize_data($data) { $data = mysql_real_escape_string(trim($data)); } $post = array(); foreach($_POST as $key =>$value){ $post[$key] = sanitize_data($value); I need to change it to this function_sanitize - function sanitize_data() { foreach($_POST as $name => $value) { if (is_array($value)) { for ($i = 0; $i < count($value); $i++) { $value[$i] = htmlspecialchars($value[$i], ENT_QUOTES); $value[$i] = stripslashes($value[$i]); $value[$i] = mysql_real_escape_string($value[$i]); } $_POST[$name] = $value; } else { $_POST[$name] = htmlspecialchars($value, ENT_QUOTES); $_POST[$name] = stripslashes($_POST[$name]); $_POST[$name] = mysql_real_escape_string($_POST[$name]); } } } sanitize_data(); The reason I need to do this is because a user fills in a text field, but I get an SQL error when someone enters a special character like ' % ^ & " etc. The second function_sanitize I posted works in my other forms but for this one it doesnt. Would anyone have any ideas how I can implement the second function into the first one? Or a way to enter special characters. Thanks Quote Link to comment https://forums.phpfreaks.com/topic/267851-function_sanitize-help/ Share on other sites More sharing options...
gristoi Posted August 31, 2012 Share Posted August 31, 2012 $post = filter_var_array($_POST,FILTER_SANITIZE_STRING); that should do it Quote Link to comment https://forums.phpfreaks.com/topic/267851-function_sanitize-help/#findComment-1374274 Share on other sites More sharing options...
blepblep Posted August 31, 2012 Author Share Posted August 31, 2012 $post = filter_var_array($_POST,FILTER_SANITIZE_STRING); that should do it Where do I put that? In here? function sanitize_data($data) { $data = mysql_real_escape_string(trim($data)); return $data; } $post = filter_var_array($_POST,FILTER_SANITIZE_STRING); $post = array(); foreach($_POST as $key =>$value){ $post[$key] = sanitize_data($value); Quote Link to comment https://forums.phpfreaks.com/topic/267851-function_sanitize-help/#findComment-1374279 Share on other sites More sharing options...
scootstah Posted August 31, 2012 Share Posted August 31, 2012 function sanitize_data($data) { $data = mysql_real_escape_string(trim($data)); } The reason I need to do this is because a user fills in a text field, but I get an SQL error when someone enters a special character like ' % ^ & " etc. The second function_sanitize I posted works in my other forms but for this one it doesnt. You get an SQL error because you're not returning the escaped data. Also, I don't really understand the purpose of making a function that returns the data from another function. Why not just use the other function (mysql_real_escape_string()) in the first place? This is another one of those times where someone is trying to mash all of their validation/sanitation into one convenient little place, which you will soon come to realize is just not possible. Your function is now: - Converting HTML to entities - Stripping slashes - Escaping the input What if you had a certain piece of data in which you wanted to convert HTML to entities, and escape the input, but not strip the slashes? Now your function is useless. A super-duper sanitize_all_the_things() function does not exist for a good reason. If you are grouping a bunch of sanitation into one function you are just limiting the usefulness of that function. Now, to answer your original question, you can strip some characters with str_replace. $illegal = array('%', '^', '&'); // place as much as you want in here $str = 'this is % a string ^ with & illegal characters'; $str = str_replace($illegal, '', $str); Quote Link to comment https://forums.phpfreaks.com/topic/267851-function_sanitize-help/#findComment-1374297 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.