Jessica Posted March 8, 2006 Share Posted March 8, 2006 Hi :) Right now I have a few functions I am using for when a user submits info, which strip out anything that could be dangerous. Is there anything else I need to add, or do they look okay as is?Here are two of them:[code]function safe_POST($item){ $item = mysql_real_escape_string(strip_tags($_POST[$item])); return $item;}function safe_int_GET($item){ $item = intval($_GET[$item]); return $item;}[/code] Quote Link to comment https://forums.phpfreaks.com/topic/4461-safe-handling-of-user-submitted-variables/ Share on other sites More sharing options...
XenoPhage Posted March 8, 2006 Share Posted March 8, 2006 [!--quoteo(post=352953:date=Mar 8 2006, 03:00 PM:name=jesirose)--][div class=\'quotetop\']QUOTE(jesirose @ Mar 8 2006, 03:00 PM) [snapback]352953[/snapback][/div][div class=\'quotemain\'][!--quotec--]Hi :) Right now I have a few functions I am using for when a user submits info, which strip out anything that could be dangerous. Is there anything else I need to add, or do they look okay as is?Here are two of them:[code]function safe_POST($item){ $item = mysql_real_escape_string(strip_tags($_POST[$item])); return $item;}function safe_int_GET($item){ $item = intval($_GET[$item]); return $item;}[/code][/quote]Well, that's one way to do it.. You can also use preg_match() to ensure that the data is exactly what you're looking for. Then wrap it from there if you need to insert it into a database. Quote Link to comment https://forums.phpfreaks.com/topic/4461-safe-handling-of-user-submitted-variables/#findComment-15542 Share on other sites More sharing options...
lessthanthree Posted March 8, 2006 Share Posted March 8, 2006 just to add.If you're expecting numbers as well as using intval you could use is_numeric() Quote Link to comment https://forums.phpfreaks.com/topic/4461-safe-handling-of-user-submitted-variables/#findComment-15549 Share on other sites More sharing options...
Jessica Posted March 8, 2006 Author Share Posted March 8, 2006 [!--quoteo(post=353011:date=Mar 8 2006, 03:36 PM:name=lessthanthree)--][div class=\'quotetop\']QUOTE(lessthanthree @ Mar 8 2006, 03:36 PM) [snapback]353011[/snapback][/div][div class=\'quotemain\'][!--quotec--]just to add.If you're expecting numbers as well as using intval you could use is_numeric()[/quote]Why would I do that? Doesn't that just find out if it is a number, wheras intval returns the numeric value? Can you explain the value of checking if it's a number? Thanks :) Quote Link to comment https://forums.phpfreaks.com/topic/4461-safe-handling-of-user-submitted-variables/#findComment-15554 Share on other sites More sharing options...
lessthanthree Posted March 8, 2006 Share Posted March 8, 2006 The only real advantage it has over intval is that if you are definitely expecting a number you can use something likeif(!is_numeric($_GET["id"]) //print some kind of error.Which can quite often be useful as it is therefore obvious that characters have been submitted. This would not be apparent using intval() Quote Link to comment https://forums.phpfreaks.com/topic/4461-safe-handling-of-user-submitted-variables/#findComment-15560 Share on other sites More sharing options...
XenoPhage Posted March 8, 2006 Share Posted March 8, 2006 [!--quoteo(post=353016:date=Mar 8 2006, 04:40 PM:name=jesirose)--][div class=\'quotetop\']QUOTE(jesirose @ Mar 8 2006, 04:40 PM) [snapback]353016[/snapback][/div][div class=\'quotemain\'][!--quotec--]Why would I do that? Doesn't that just find out if it is a number, wheras intval returns the numeric value? Can you explain the value of checking if it's a number? Thanks :)[/quote]Well, if you're expecting a number, and someone submits a character, is_numeric will make that apparent...I generally do checks like this :[code]if (preg_match('/^\w+$/', $_REQUEST['variable'])) { $myvar = $_REQUEST['variable'];} else { // Either warn the user or fall back to a "default"}[/code]That would be for a text value containing any alphanumeric character including _ ... You can obviously change the regex to something else as needed. Quote Link to comment https://forums.phpfreaks.com/topic/4461-safe-handling-of-user-submitted-variables/#findComment-15561 Share on other sites More sharing options...
Jessica Posted March 8, 2006 Author Share Posted March 8, 2006 [!--quoteo(post=353022:date=Mar 8 2006, 03:44 PM:name=lessthanthree)--][div class=\'quotetop\']QUOTE(lessthanthree @ Mar 8 2006, 03:44 PM) [snapback]353022[/snapback][/div][div class=\'quotemain\'][!--quotec--]The only real advantage it has over intval is that if you are definitely expecting a number you can use something likeif(!is_numeric($_GET["id"]) //print some kind of error.Which can quite often be useful.[/quote]Okay great, thanks :) I will remember that one. Quote Link to comment https://forums.phpfreaks.com/topic/4461-safe-handling-of-user-submitted-variables/#findComment-15563 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.