Jump to content

Safe Handling of User Submitted Variables


Jessica

Recommended Posts

Hi :) Right now I have a few functions I am using for when a user submits info, which strip out anything that could be dangerous. Is there anything else I need to add, or do they look okay as is?

Here are two of them:

[code]function safe_POST($item){
    $item = mysql_real_escape_string(strip_tags($_POST[$item]));
    return $item;
}

function safe_int_GET($item){
    $item = intval($_GET[$item]);
    return $item;
}[/code]
Link to comment
Share on other sites

[!--quoteo(post=352953:date=Mar 8 2006, 03:00 PM:name=jesirose)--][div class=\'quotetop\']QUOTE(jesirose @ Mar 8 2006, 03:00 PM) [snapback]352953[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Hi :) Right now I have a few functions I am using for when a user submits info, which strip out anything that could be dangerous. Is there anything else I need to add, or do they look okay as is?

Here are two of them:

[code]function safe_POST($item){
    $item = mysql_real_escape_string(strip_tags($_POST[$item]));
    return $item;
}

function safe_int_GET($item){
    $item = intval($_GET[$item]);
    return $item;
}[/code]
[/quote]

Well, that's one way to do it.. You can also use preg_match() to ensure that the data is exactly what you're looking for. Then wrap it from there if you need to insert it into a database.
Link to comment
Share on other sites

[!--quoteo(post=353011:date=Mar 8 2006, 03:36 PM:name=lessthanthree)--][div class=\'quotetop\']QUOTE(lessthanthree @ Mar 8 2006, 03:36 PM) [snapback]353011[/snapback][/div][div class=\'quotemain\'][!--quotec--]
just to add.

If you're expecting numbers as well as using intval you could use is_numeric()
[/quote]

Why would I do that? Doesn't that just find out if it is a number, wheras intval returns the numeric value? Can you explain the value of checking if it's a number? Thanks :)
Link to comment
Share on other sites

The only real advantage it has over intval is that if you are definitely expecting a number you can use something like

if(!is_numeric($_GET["id"]) //print some kind of error.

Which can quite often be useful as it is therefore obvious that characters have been submitted. This would not be apparent using intval()
Link to comment
Share on other sites

[!--quoteo(post=353016:date=Mar 8 2006, 04:40 PM:name=jesirose)--][div class=\'quotetop\']QUOTE(jesirose @ Mar 8 2006, 04:40 PM) [snapback]353016[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Why would I do that? Doesn't that just find out if it is a number, wheras intval returns the numeric value? Can you explain the value of checking if it's a number? Thanks :)
[/quote]

Well, if you're expecting a number, and someone submits a character, is_numeric will make that apparent...

I generally do checks like this :

[code]
if (preg_match('/^\w+$/', $_REQUEST['variable'])) {
   $myvar = $_REQUEST['variable'];
} else {
   // Either warn the user or fall back to a "default"
}
[/code]

That would be for a text value containing any alphanumeric character including _ ... You can obviously change the regex to something else as needed.
Link to comment
Share on other sites

[!--quoteo(post=353022:date=Mar 8 2006, 03:44 PM:name=lessthanthree)--][div class=\'quotetop\']QUOTE(lessthanthree @ Mar 8 2006, 03:44 PM) [snapback]353022[/snapback][/div][div class=\'quotemain\'][!--quotec--]
The only real advantage it has over intval is that if you are definitely expecting a number you can use something like

if(!is_numeric($_GET["id"]) //print some kind of error.

Which can quite often be useful.
[/quote]

Okay great, thanks :) I will remember that one.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.