blepblep Posted August 31, 2012 Share Posted August 31, 2012 Hi, wondering can anyone help me here. I have the following function sanitize - function sanitize_data($data) { $data = mysql_real_escape_string(trim($data)); } $post = array(); foreach($_POST as $key =>$value){ $post[$key] = sanitize_data($value); I need to change it to this function_sanitize - function sanitize_data() { foreach($_POST as $name => $value) { if (is_array($value)) { for ($i = 0; $i < count($value); $i++) { $value[$i] = htmlspecialchars($value[$i], ENT_QUOTES); $value[$i] = stripslashes($value[$i]); $value[$i] = mysql_real_escape_string($value[$i]); } $_POST[$name] = $value; } else { $_POST[$name] = htmlspecialchars($value, ENT_QUOTES); $_POST[$name] = stripslashes($_POST[$name]); $_POST[$name] = mysql_real_escape_string($_POST[$name]); } } } sanitize_data(); The reason I need to do this is because a user fills in a text field, but I get an SQL error when someone enters a special character like ' % ^ & " etc. The second function_sanitize I posted works in my other forms but for this one it doesnt. Would anyone have any ideas how I can implement the second function into the first one? Or a way to enter special characters. Thanks Link to comment https://forums.phpfreaks.com/topic/267851-function_sanitize-help/ Share on other sites More sharing options...
gristoi Posted August 31, 2012 Share Posted August 31, 2012 $post = filter_var_array($_POST,FILTER_SANITIZE_STRING); that should do it Link to comment https://forums.phpfreaks.com/topic/267851-function_sanitize-help/#findComment-1374274 Share on other sites More sharing options...
blepblep Posted August 31, 2012 Author Share Posted August 31, 2012 $post = filter_var_array($_POST,FILTER_SANITIZE_STRING); that should do it Where do I put that? In here? function sanitize_data($data) { $data = mysql_real_escape_string(trim($data)); return $data; } $post = filter_var_array($_POST,FILTER_SANITIZE_STRING); $post = array(); foreach($_POST as $key =>$value){ $post[$key] = sanitize_data($value); Link to comment https://forums.phpfreaks.com/topic/267851-function_sanitize-help/#findComment-1374279 Share on other sites More sharing options...
scootstah Posted August 31, 2012 Share Posted August 31, 2012 function sanitize_data($data) { $data = mysql_real_escape_string(trim($data)); } The reason I need to do this is because a user fills in a text field, but I get an SQL error when someone enters a special character like ' % ^ & " etc. The second function_sanitize I posted works in my other forms but for this one it doesnt. You get an SQL error because you're not returning the escaped data. Also, I don't really understand the purpose of making a function that returns the data from another function. Why not just use the other function (mysql_real_escape_string()) in the first place? This is another one of those times where someone is trying to mash all of their validation/sanitation into one convenient little place, which you will soon come to realize is just not possible. Your function is now: - Converting HTML to entities - Stripping slashes - Escaping the input What if you had a certain piece of data in which you wanted to convert HTML to entities, and escape the input, but not strip the slashes? Now your function is useless. A super-duper sanitize_all_the_things() function does not exist for a good reason. If you are grouping a bunch of sanitation into one function you are just limiting the usefulness of that function. Now, to answer your original question, you can strip some characters with str_replace. $illegal = array('%', '^', '&'); // place as much as you want in here $str = 'this is % a string ^ with & illegal characters'; $str = str_replace($illegal, '', $str); Link to comment https://forums.phpfreaks.com/topic/267851-function_sanitize-help/#findComment-1374297 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.