Jump to content

function_sanitize help


blepblep

Recommended Posts

Hi, wondering can anyone help me here. I have the following function sanitize -

 

function sanitize_data($data)
    {
        $data = mysql_real_escape_string(trim($data));
        
    }

$post = array(); 
foreach($_POST as $key =>$value){
$post[$key] = sanitize_data($value);

 

I need to change it to this function_sanitize -

 


function sanitize_data()
{
foreach($_POST as $name => $value)
{
	if (is_array($value))
	{
		for ($i = 0; $i < count($value); $i++)
		{
			$value[$i] = htmlspecialchars($value[$i], ENT_QUOTES);
			$value[$i] = stripslashes($value[$i]);
			$value[$i] = mysql_real_escape_string($value[$i]);
		}
		$_POST[$name] = $value;
	}
	else
	{
		$_POST[$name] = htmlspecialchars($value, ENT_QUOTES);
		$_POST[$name] = stripslashes($_POST[$name]);
		$_POST[$name] = mysql_real_escape_string($_POST[$name]);
	}
}
}
sanitize_data();

 

The reason I need to do this is because a user fills in a text field, but I get an SQL error when someone enters a special character like ' % ^ & " etc. The second function_sanitize I posted works in my other forms but for this one it doesnt.

 

Would anyone have any ideas how I can implement the second function into the first one? Or a way to enter special characters. Thanks

Link to comment
Share on other sites

$post = filter_var_array($_POST,FILTER_SANITIZE_STRING);

that should do it :)

 

Where do I put that? In here?

 

function sanitize_data($data)
    {
        $data = mysql_real_escape_string(trim($data));
        return $data;
    }

$post = filter_var_array($_POST,FILTER_SANITIZE_STRING);
    
$post = array(); 
foreach($_POST as $key =>$value){
$post[$key] = sanitize_data($value);

Link to comment
Share on other sites

function sanitize_data($data)
{
    $data = mysql_real_escape_string(trim($data));        
}

The reason I need to do this is because a user fills in a text field, but I get an SQL error when someone enters a special character like ' % ^ & " etc. The second function_sanitize I posted works in my other forms but for this one it doesnt.

 

You get an SQL error because you're not returning the escaped data.

 

Also, I don't really understand the purpose of making a function that returns the data from another function. Why not just use the other function (mysql_real_escape_string()) in the first place?

 

This is another one of those times where someone is trying to mash all of their validation/sanitation into one convenient little place, which you will soon come to realize is just not possible.

 

Your function is now:

- Converting HTML to entities

- Stripping slashes

- Escaping the input

 

What if you had a certain piece of data in which you wanted to convert HTML to entities, and escape the input, but not strip the slashes? Now your function is useless.

 

A super-duper sanitize_all_the_things() function does not exist for a good reason. If you are grouping a bunch of sanitation into one function you are just limiting the usefulness of that function.

 

 

Now, to answer your original question, you can strip some characters with str_replace.

$illegal = array('%', '^', '&'); // place as much as you want in here

$str = 'this is % a string ^ with & illegal characters';

$str = str_replace($illegal, '', $str);

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.