rcorlew Posted July 9, 2007 Share Posted July 9, 2007 I wrote a custom function to catch / replace all potentially harmful html characters while leaving others alone, I wonder if this is sufficient enough to stop XSS and SQL Injection without having to use those built in functions since the function name is shorter. Here it is in a nutshell: <?php function cleanVars($chk_val) { $bad = array( '"','\'','(',')','<','>','%3c','<','=' ); $good = array( '"',''','(',')','<','>','<','<','=' ); $chk_val = stripslashes($chk_val); $chk_val = str_replace($bad, $good, $chk_val); return $chk_val; } $test = $_GET["test"]; $val9 = $_POST["val9"]; $val10 = $_POST["val10"]; $test = cleanVars($test); if(!empty($test)) { $val9 = cleanVars($val9); $val10 = cleanVars($val10); echo $val9."<br />".$val10."<br />"; } ?> I know php has some built in functions, but it will replace things even when you want to leave them, so I am trying this out. Link to comment https://forums.phpfreaks.com/topic/59100-testing-a-simple-function/ Share on other sites More sharing options...
kathas Posted July 9, 2007 Share Posted July 9, 2007 I know php has some built in functions, but it will replace things even when you want to leave them, so I am trying this out. Untrue... the strip_tags() function has an allowable tags array since PHP 4.0.0 and htmlspecialchars() has some constants you might want to take into consideration... strip_tags() and htmlspecialchars() now there is nothing more general or better for SQL injection prevention (according to my opinion) right off the manual again <?php if(get_magic_quotes_gpc()) { if(ini_get('magic_quotes_sybase')) { $value = str_replace("''", "'", $_POST['value']); } else { $value = stripslashes($_POST['value']); } } else { $value = $_POST['value']; } $value = mysql_real_escape_string($value); Link to comment https://forums.phpfreaks.com/topic/59100-testing-a-simple-function/#findComment-293495 Share on other sites More sharing options...
Recommended Posts