rk8479 Posted August 30, 2013 Share Posted August 30, 2013 In my DB class i have a function to do a simple sanitize operation. The function does three things: 1. checks weather the input variable is a integer, if it is then it gets the int value of the variable and returns it. 2. checks weather the input variable is a string, if it is then it escapes it and returns it. 3. if it is neither an integer or a string then the variable is unset and returns a "Variable deleted" message. function sanitizeData($dbc, $input){ if(is_int($input)){ $input = intval($input); return $input; } elseif(is_string($input)){ $input = mysqli_real_escape_string($dbc, $input); return $input; } elseif(!is_int($input) OR !is_string($input)){ unset($input); return "Variable contents unknown, variable deleted!"; } } I wanted other peoples ideas, opinions and suggestions on this function and what you think of it Thanks Quote Link to comment https://forums.phpfreaks.com/topic/281702-suggestions-and-opinions-on-my-sanitize-function/ Share on other sites More sharing options...
AbraCadaver Posted August 30, 2013 Share Posted August 30, 2013 (edited) 1. If it's already an integer what's the need to cast it to an integer? 2. If you use prepared statements in mysli or PDO all escaping and testing will be done for you. 3.You can't unset the passed var from inside the function and why would you? What if it's a float?. So far as I know there is really no need for sanitization functions if you use the newer libraries, unless you have specialized sanitization like stripping HTML or Javascript or portions thereof, etc. Edited August 30, 2013 by AbraCadaver Quote Link to comment https://forums.phpfreaks.com/topic/281702-suggestions-and-opinions-on-my-sanitize-function/#findComment-1447458 Share on other sites More sharing options...
mac_gyver Posted August 30, 2013 Share Posted August 30, 2013 also, the is_int and is_string functions test the type of the variable, not what's in them. you can have a string variable that contains a number (all $_POST/$_GET variables are strings variables, no matter what they contain.) and you could have a value that looks like a number, such as a phone number or a zip code that only contains numerical characters, but it is actually a string (with things like leading zero's) that if you treat it as a number in your code, it will be altered and won't have the same meaning as the value that was entered. Quote Link to comment https://forums.phpfreaks.com/topic/281702-suggestions-and-opinions-on-my-sanitize-function/#findComment-1447460 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.