Jump to content

function

Ninjakreborn

By Ninjakreborn
in PHP Coding Help

 Share

Recommended Posts

Ninjakreborn Prolific Member

Ninjakreborn

Posted
Posted
[code]
<?php
function deepclean($varinfo) {
if (is_array($varinfo)) {
foreach ($varinfo as $v=>$k) {
$varinfo = strip_tags($varinfo);
$varinfo = htmlspecialchars($varinfo, ENT_NOQUOTES);
$varinfo = htmlentities($varinfo);
if (get_magic_quotes_gpc()) {
      $varinfo = mysql_real_escape_string($varinfo);
  } // end if
} // end foreach

}else {
$varinfo = strip_tags($varinfo);
$varinfo = htmlspecialchars($varinfo, ENT_NOQUOTES);
$varinfo = htmlentities($varinfo);
if (get_magic_quotes_gpc()) {
      $varinfo = mysql_real_escape_string($varinfo);
  }
}

return $varinfo; // return variable information
}
?>[/code]
Ok, a few problems here.
1. I am trying to setup my function to where it use's arrays (or accepts them as well)
So If I pass it an array, for instance, I have an entire array
$_SESSION['user']
Everything in there is the user information
$_SESSION['user']['username']
$_SESSION['user']['password']
$_SESSION['user']['firstname']
$_SESSION['user']['lastname']
I want to be able to pass it
$userinfo = deepclean($_SESSION['user']);
It should take them all and clean them, and put them in userinfo array, to get like this
echo $userinfo['username'];
echo $userinfo['password'];
echo $userinfo['firstname'];
echo $userinfo['lastname'];

2. Since some people may or may not be connected to a database, should I go ahead and use addslashes instead of mysql_real_escape_string for that part.

Link to comment
Share on other sites
bibby Newbie

bibby

Posted
Posted
I've commented in my issues with the first condition of your code.
By all accounts though, you should be able to pass $_SESSION['user'] and get the result you'd like.

[code]
if (is_array($varinfo))
{
//wait...  it's key=>value ,  so $k=>$v , yeah?
foreach ($varinfo as $v=>$k)
{
//varinfo id still an array
$varinfo = strip_tags($varinfo);  //<-- shouldn't this be $v ? (or $k is you left it as is?)
$varinfo = htmlspecialchars($varinfo, ENT_NOQUOTES); //<-also $v
$varinfo = htmlentities($varinfo);  //<-also $v

if (get_magic_quotes_gpc())  //  use  if (function_exists('get_magic_quotes_gpc'))
{
$varinfo = mysql_real_escape_string($varinfo); 
// why are you testing for the existence of one function, then using another?
// you should probably echo out a message in the event that it doesn't exist.

  } // end if

} // end foreach
}
[/code]


For the second part : go ahead and use mysql_real_escape_string  ,  it will add just the slashes it needs to get by. addslashes() is indescriminate.
Link to comment
Share on other sites
Ninjakreborn Prolific Member

Ninjakreborn

Posted
  • Author
Posted
[code]<?php
function deepclean2($varinfo) {
if (is_array($varinfo)) {
foreach ($varinfo as $k=>$v) {
$varinfo = strip_tags($v);
$varinfo = htmlspecialchars($v, ENT_NOQUOTES);
$varinfo = htmlentities($v);
if (function_exists('get_magic_quotes_gpc')) {
      $varinfo = mysql_real_escape_string($v);
  } // end if
} // end foreach

}else {
$varinfo = strip_tags($varinfo);
$varinfo = htmlspecialchars($varinfo, ENT_NOQUOTES);
$varinfo = htmlentities($varinfo);
if (function_exists('get_magic_quotes_gpc')) {
      $varinfo = mysql_real_escape_string($varinfo);
  }
}

return $varinfo; // return variable information
}


?>[/code]

[code]<?php
$new = array(1 => "<script", 2 => "Hello", 3 => "What are you doing?", 4 => "<script></script>", 5 => "<p></p>", 6 => "a href");
$new = deepclean2($new);
echo $new[2];
?>[/code]
Testing it, that is echoing h
just using echo $new is echoing a href
It doesn't seem to be working, the reason I asked about mysql_real_escape_string to, is in ym program the database doesn't start off as being on.  So sometimes if someone didn't have the database connected but where just outputting something to the screen, that is my point

Or my concern anyway.

The reason I call one function and then another, without outputting errors, this is meant to work without giving off any interference, call the function, it cleans the variables.

Any other advice on how to make this function better, it was fine, until I started trying to accomodate array's.
Link to comment
Share on other sites
obsidian Member

obsidian

Posted
Posted
Well, the first issue is that you're overwriting the variable ($varinfo) that you are wishing to hold the cleaned array with a new [b]String[/b] with each loop of the foreach(). You need to be assigning the cleaned values to the same key of the array in which they were originally contained:
[code]
<?php
// First, create a new array to hold the results:
foreach ($varinfo as $k=>$v) {
  $v = strip_tags($v);
  $v = htmlspecialchars($v, ENT_NOQUOTES);
  $v = htmlentities($v);
  if (get_magic_quotes_gpc()) {
    $v = mysql_real_escape_string($v);
  } // end if

  // Assign the $v back into the array
  $varinfo[$k] = $v;
} // end foreach
?>
[/code]

As to your second question, what is this function supposed to be for? If it is something you're sharing for people to use, you definitely want to allow for variants on your database connection, but if it's for an application you're writing, [b]you[/b] have to define whether or not they're going to be connected to the database. If you choose to allow for either one, I would recommend you add one parameter to the function that is a boolean value to tell whether or not the script has a database connection, and if TRUE, then use mysql_real_escape_string(), but if not, use addslashes()... although, what's the point of escaping at all if you're not putting it into a database? One other thought on that, if you're going that far to generalize, why not allow for different database connections and cleaning techniques such as pg_escape_string(), too?
Link to comment
Share on other sites
Ninjakreborn Prolific Member

Ninjakreborn

Posted
  • Author
Posted
It's for personal use, but I am releasing my personal programmer assistant, on the side once it's been severely beefed up and changed.  Incase if anyone else want's to use it, if it takes off I might release it as a full open source project.  RIght now it only accepts mysql, because I don't do a lot with other database platforms yet.  When I get more projects on them, then I will start making it more compatible, or will later on, when the time come's.

That was a good idea, I will check if they have database turned on, if so run escape string, if not run the other.  Or better yet, have the option to choose whether they want to run the database situation, or the standard (add slashes)
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.