Jump to content

[SOLVED] A Basic/Generic Filter System

holiks

By holiks
in Application Design

 Share

Recommended Posts

holiks Newbie

holiks

Posted
Posted

Is it safe in any way to say that the following code can be used as a method to prepare user-submitted data for submission to something like say a Database?

foreach($_REQUEST as $var => $value)
{
if(is_array($_REQUEST["$var"]))
{
	foreach($_REQUEST["$var"] as $var2 => $value2)
	{
		$_REQUEST["$var"]["$var2"] = htmlspecialchars($value2, ENT_QUOTES);	
	}		

} else {
	$_REQUEST["$var"] = htmlspecialchars($value, ENT_QUOTES);
}
}

Can one now take any of the now_processed $_REQUEST vars and play around wrecklessly without worrying about malicious input?

For database storage that is.

 

Link to comment
https://forums.phpfreaks.com/topic/80847-solved-a-basicgeneric-filter-system/
Share on other sites
redbullmarky Advanced Member

redbullmarky

Posted
Posted

htmlspecialchars doesn't handle all the characters that can be used for SQL injections. htmlspecialchars is ideal for when outputting "unknown" data to the screen, which will help prevent XSS attacks.

 

you might want to look at mysql_real_escape_string() instead, as it's designed for the job at hand.

 

i have to be honest though and say that i'm not a huge fan of "blanket" operations like this, at least with not keeping an original copy at least. this makes it a pain in the ass for making comparisons, due to extra slashes. eg, an input of: Hello 'World' will produce something like: Hello \'World\' - meaning if you need to check the value of the necessary $_GET/$_POST var, you're gonna come unstuck:

 

// example code, but in effect your filter stuff would go here
$message = "Hello 'World'";
$_GET['message'] = mysql_real_escape_string($message); // produces Hello 'World'

// rest of code here

// now the check
if ($_GET['message'] == "Hello 'World'") {
   echo 'match!';
}

 

I tend to escape the raw data just before putting it in the DB (mysql_real_escape_string) and also escape the raw data just before putting it to the browser (htmlspecialchars).

 

Writing a simple set of functions, or building an input class (to replace accessing $_GET/$_POST directly altogether), would be (and is) my personal preference here.

holiks Newbie

holiks

Posted
  • Author
Posted

Points much noted...I agree on having a function/class in place for handling submitted data. Just wishing quotes didn't have to be such a prob with database which is causing extra overhead to store data (which is reasonable) AND also just to retrieve it....in mysql at least. Valuable input there thank you.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.