Jump to content

function_sanitize help


blepblep

Recommended Posts

Hi, wondering can anyone help me here. I have the following function sanitize -

 

function sanitize_data($data)
    {
        $data = mysql_real_escape_string(trim($data));
        
    }

$post = array(); 
foreach($_POST as $key =>$value){
$post[$key] = sanitize_data($value);

 

I need to change it to this function_sanitize -

 


function sanitize_data()
{
foreach($_POST as $name => $value)
{
	if (is_array($value))
	{
		for ($i = 0; $i < count($value); $i++)
		{
			$value[$i] = htmlspecialchars($value[$i], ENT_QUOTES);
			$value[$i] = stripslashes($value[$i]);
			$value[$i] = mysql_real_escape_string($value[$i]);
		}
		$_POST[$name] = $value;
	}
	else
	{
		$_POST[$name] = htmlspecialchars($value, ENT_QUOTES);
		$_POST[$name] = stripslashes($_POST[$name]);
		$_POST[$name] = mysql_real_escape_string($_POST[$name]);
	}
}
}
sanitize_data();

 

The reason I need to do this is because a user fills in a text field, but I get an SQL error when someone enters a special character like ' % ^ & " etc. The second function_sanitize I posted works in my other forms but for this one it doesnt.

 

Would anyone have any ideas how I can implement the second function into the first one? Or a way to enter special characters. Thanks

Link to comment
Share on other sites

$post = filter_var_array($_POST,FILTER_SANITIZE_STRING);

that should do it :)

 

Where do I put that? In here?

 

function sanitize_data($data)
    {
        $data = mysql_real_escape_string(trim($data));
        return $data;
    }

$post = filter_var_array($_POST,FILTER_SANITIZE_STRING);
    
$post = array(); 
foreach($_POST as $key =>$value){
$post[$key] = sanitize_data($value);

Link to comment
Share on other sites

function sanitize_data($data)
{
    $data = mysql_real_escape_string(trim($data));        
}

The reason I need to do this is because a user fills in a text field, but I get an SQL error when someone enters a special character like ' % ^ & " etc. The second function_sanitize I posted works in my other forms but for this one it doesnt.

 

You get an SQL error because you're not returning the escaped data.

 

Also, I don't really understand the purpose of making a function that returns the data from another function. Why not just use the other function (mysql_real_escape_string()) in the first place?

 

This is another one of those times where someone is trying to mash all of their validation/sanitation into one convenient little place, which you will soon come to realize is just not possible.

 

Your function is now:

- Converting HTML to entities

- Stripping slashes

- Escaping the input

 

What if you had a certain piece of data in which you wanted to convert HTML to entities, and escape the input, but not strip the slashes? Now your function is useless.

 

A super-duper sanitize_all_the_things() function does not exist for a good reason. If you are grouping a bunch of sanitation into one function you are just limiting the usefulness of that function.

 

 

Now, to answer your original question, you can strip some characters with str_replace.

$illegal = array('%', '^', '&'); // place as much as you want in here

$str = 'this is % a string ^ with & illegal characters';

$str = str_replace($illegal, '', $str);

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.