rcorlew Posted April 14, 2007 Share Posted April 14, 2007 I am trying to sanitize $_POST and $_GET variables globally to stop things like sql injection. I have not really been able to get it to work. I have a nice way to replace the things I don't want to be posted but I am trying to do this globally and not one value at a time. Here is the code that I have so far: <?php $nonhack = "$string1"; $hackcheck = strtolower($nonhack); $patterns = array( '`\*`is', '`drop`is', '`\'`is', '`delete`is', '`select`is', '`\(`is', '`\)`is', ); $replaces = array( '\/*\/', 'd/odRo\/', 'nm', 'donot', 'forget', 'mlknxc', 'mlknxc', ); $hackcheck = preg_replace($patterns, $replaces , $hackcheck); //echo "$hackcheck"; ?> Could I just change the $string1 to $_POST or $_GET and reset the data like $_POST = "$hackcheck"; That may sound kind of weird but I am at a loss here. Link to comment https://forums.phpfreaks.com/topic/47017-function-to-sanitize-data/ Share on other sites More sharing options...
Guest prozente Posted April 14, 2007 Share Posted April 14, 2007 Blacklists aren't the way to security as there may always be something you forget or are not aware of. Whitelists are what should be used, such as using regex to validate that the user input is in the format you want. Or just properly escape any data that is passed to an SQL query. Run any user input that is displayed on the page through htmlentities to stop XSS. Never pass user input to any functions that can be used to execute PHP unless you've validated the data first. These are just the most common problems, there can be others depending on your code. The majority of security problems are due to lack of validating user input before using. Link to comment https://forums.phpfreaks.com/topic/47017-function-to-sanitize-data/#findComment-229333 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.