Jump to content

Suggestions and opinions on my sanitize function

rk8479

By rk8479
in PHP Coding Help

Recommended Posts

rk8479 Newbie

rk8479

Posted
Posted

In my DB class i have a function to do a simple sanitize operation.

 

The function does three things: 

 

1. checks weather the input variable is a integer, if it is then it gets the int value of the variable and returns it.

 

2. checks weather the input variable is a string, if it is then it escapes it and returns it.

 

3. if it is neither an integer or a string then the variable is unset and returns a "Variable deleted" message.

function sanitizeData($dbc, $input){
        
        if(is_int($input)){
            $input = intval($input);
            return $input;
        } elseif(is_string($input)){
            $input = mysqli_real_escape_string($dbc, $input);
            return $input;
        } elseif(!is_int($input) OR !is_string($input)){
            unset($input);
            return "Variable contents unknown, variable deleted!";
        }
    }

I wanted other peoples ideas, opinions and suggestions on this function and what you think of it :)

 

Thanks

AbraCadaver Newbie

AbraCadaver

Posted
Posted

1. If it's already an integer what's the need to cast it to an integer?

2. If you use prepared statements in mysli or PDO all escaping and testing will be done for you.

3.You can't unset the passed var from inside the function and why would you?  What if it's a float?.

 

So far as I know there is really no need for sanitization functions if you use the newer libraries, unless you have specialized sanitization like stripping HTML or Javascript or portions thereof, etc. 

mac_gyver Prolific Member

mac_gyver

Posted
Posted

also, the is_int and is_string functions test the type of the variable, not what's in them.

 

you can have a string variable that contains a number (all $_POST/$_GET variables are strings variables, no matter what they contain.)

 

and you could have a value that looks like a number, such as a phone number or a zip code that only contains numerical characters, but it is actually a string (with things like leading zero's) that if you treat it as a number in your code, it will be altered and won't have the same meaning as the value that was entered.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.