Safe Handling of User Submitted Variables

[Jessica]

Hi :) Right now I have a few functions I am using for when a user submits info, which strip out anything that could be dangerous. Is there anything else I need to add, or do they look okay as is?

Here are two of them:

[code]function safe_POST($item){
    $item = mysql_real_escape_string(strip_tags($_POST[$item]));
    return $item;
}

function safe_int_GET($item){
    $item = intval($_GET[$item]);
    return $item;
}[/code]

[XenoPhage]

[!--quoteo(post=352953:date=Mar 8 2006, 03:00 PM:name=jesirose)--][div class=\'quotetop\']QUOTE(jesirose @ Mar 8 2006, 03:00 PM) [snapback]352953[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Hi :) Right now I have a few functions I am using for when a user submits info, which strip out anything that could be dangerous. Is there anything else I need to add, or do they look okay as is?

Here are two of them:

[code]function safe_POST($item){
    $item = mysql_real_escape_string(strip_tags($_POST[$item]));
    return $item;
}

function safe_int_GET($item){
    $item = intval($_GET[$item]);
    return $item;
}[/code]
[/quote]

Well, that's one way to do it.. You can also use preg_match() to ensure that the data is exactly what you're looking for. Then wrap it from there if you need to insert it into a database.

[lessthanthree]

just to add.

If you're expecting numbers as well as using intval you could use is_numeric()

[Jessica]

[!--quoteo(post=353011:date=Mar 8 2006, 03:36 PM:name=lessthanthree)--][div class=\'quotetop\']QUOTE(lessthanthree @ Mar 8 2006, 03:36 PM) [snapback]353011[/snapback][/div][div class=\'quotemain\'][!--quotec--]
just to add.

If you're expecting numbers as well as using intval you could use is_numeric()
[/quote]

Why would I do that? Doesn't that just find out if it is a number, wheras intval returns the numeric value? Can you explain the value of checking if it's a number? Thanks :)

[lessthanthree]

The only real advantage it has over intval is that if you are definitely expecting a number you can use something like

if(!is_numeric($_GET["id"]) //print some kind of error.

Which can quite often be useful as it is therefore obvious that characters have been submitted. This would not be apparent using intval()

[XenoPhage]

[!--quoteo(post=353016:date=Mar 8 2006, 04:40 PM:name=jesirose)--][div class=\'quotetop\']QUOTE(jesirose @ Mar 8 2006, 04:40 PM) [snapback]353016[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Why would I do that? Doesn't that just find out if it is a number, wheras intval returns the numeric value? Can you explain the value of checking if it's a number? Thanks :)
[/quote]

Well, if you're expecting a number, and someone submits a character, is_numeric will make that apparent...

I generally do checks like this :

[code]
if (preg_match('/^\w+$/', $_REQUEST['variable'])) {
   $myvar = $_REQUEST['variable'];
} else {
   // Either warn the user or fall back to a "default"
}
[/code]

That would be for a text value containing any alphanumeric character including _ ... You can obviously change the regex to something else as needed.

[Jessica]

[!--quoteo(post=353022:date=Mar 8 2006, 03:44 PM:name=lessthanthree)--][div class=\'quotetop\']QUOTE(lessthanthree @ Mar 8 2006, 03:44 PM) [snapback]353022[/snapback][/div][div class=\'quotemain\'][!--quotec--]
The only real advantage it has over intval is that if you are definitely expecting a number you can use something like

if(!is_numeric($_GET["id"]) //print some kind of error.

Which can quite often be useful.
[/quote]

Okay great, thanks :) I will remember that one.