homepage Welcome to WebmasterWorld Guest from 54.237.71.86
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Cleaning input
FromBelgium




msg:3688767
 7:41 pm on Jul 2, 2008 (gmt 0)

Below code I found on WebmasterWorld but its is not clear for me if this code cleans all input (and do I put it before $input=$_GET['input']) or do I have to apply the function to all inputs (for example Clean($_GET['input'])?

function Clean($string){
if (get_magic_quotes_gpc())
{
return $string;
}
else
{
return mysql_real_escape_string($string);
}
$string = trim($string);
$string = safeEscapeString($string);
$string = htmlentities($string);
return $string;
}
foreach($_POST as $name1 => $value){
$_POST[$name1] = Clean($value);
}
foreach($_GET as $name1 => $value){
$_GET[$name1] = Clean($value);
}
foreach($_COOKIE as $name1 => $value){
$_COOKIE[$name1] = Clean($value);
}
foreach($_REQUEST as $name1 => $value){
$_REQUEST[$name1] = Clean($value);
}

 

rob7591




msg:3688831
 8:38 pm on Jul 2, 2008 (gmt 0)

I don't see how that function is doing anything after the first if statement. Because it's going to return something no matter what and the rest of the code is going to be ignored.

I think I would do this:

function clean($s) {
if (get_magic_quotes_gpc())
$s = stripslashes($s);
return mysql_real_escape_string($s)
}

And you can use this like you said,

clean($_GET['input']);

PHP_Chimp




msg:3689158
 5:02 am on Jul 3, 2008 (gmt 0)

Also magic_quotes is no substitute for mysql_real_escape_string. As magic_quotes is not multibyte safe, so can easily be bypassed, however mysql_real_escape_string is multibyte safe.

So magic_quotes is a last resort not your first.

Mysql_real_escape_string is the better method; also doesnt lead to having to strip slashes on all of your output.

dreamcatcher




msg:3689224
 7:39 am on Jul 3, 2008 (gmt 0)

Also, so long as your array isn`t recursive, you don`t need a foreach loop:

$_POST = array_map [uk2.php.net]('Clean',$_POST);

If its recursive you`ll need a custom function.

dc

FromBelgium




msg:3689254
 8:26 am on Jul 3, 2008 (gmt 0)

Thanks for your advice!
With "return mysql_real_escape_string($s)" I get error:
Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock'

I want to clean a variable of a query (no MySQL involved). For example link.php?input=value

rob7591




msg:3689347
 1:20 pm on Jul 3, 2008 (gmt 0)

What is the variable being used for?

If you just wanna get rid of the: \'

To clean it you just would do stripslashes($_GET['q'])

eelixduppy




msg:3689736
 5:51 pm on Jul 3, 2008 (gmt 0)

If you are going to use the function above, you should pass the link variable to it by reference like the following:

function clean($s, &$link) {
if (get_magic_quotes_gpc())
$s = stripslashes($s);
return mysql_real_escape_string($s, $link)
}

This should work properly :)

FromBelgium




msg:3689784
 6:42 pm on Jul 3, 2008 (gmt 0)

The functions mysql_real_escape_string only works when the database is open, otherwise I get error "Can't connect to local MySQL server through socket ". So how to sanitize input on pages without database? The variable is part of the dynamic URL and is required to build HTML code, depending on value of variable.
Will $string = htmlentities($_GET['string']) be enough?

I got message from my host that my variable was expoited by a spammer.

NomikOS




msg:3689803
 7:09 pm on Jul 3, 2008 (gmt 0)

To receive unexpected strings from $_GET is bad for business.
If you can to collate it against a set of expected strings then could be enough htmlentities or htmlspecialchars.

If you want to save it on db try something like this:

# clean GET!
# ----------
$_SERVER['REQUEST_URI'] = str_replace("'", '', $_SERVER['REQUEST_URI']);

spammers are the worst >:O

System
redhat



msg:3694442
 2:47 pm on Jul 9, 2008 (gmt 0)

The following 2 messages were cut out to new thread by eelixduppy. New thread at: php/3694440.htm [webmasterworld.com]
11:12 am on July 9, 2008 (est -4)

tomda




msg:3694488
 3:42 pm on Jul 9, 2008 (gmt 0)

This is my function to clean variable for MySQL query (with explanation for NeilsPHP)
function clean_sql($varia) {
// REMOVE BLANK SPACE
$varia=rtrim($varia);
$varia=ltrim($varia);
// REMOVE HTML TAGS
$varia=strip_tags($varia);
// CHECK IF GET_MAGIC_QUOTE IS ON AND STRIP SLASH ACCORDINGLY
if (get_magic_quotes_gpc()) {$varia = stripslashes($varia);}
// CLEAN SPECIFICALLY FOR MYSQL QUERY
$varia = mysql_escape_string($varia);
return $varia;}

If you variable is not used for Mysql query but it is shown in your HTML webpage, then a simple function with htmlentities would be better
function clean($varia) {
$varia=rtrim($varia);
$varia=ltrim($varia);
// CHANGE SPECIAL CHARACTERS INTO HTML ENTITIES
$varia=htmlentities($varia, ENT_QUOTES);
$varia=str_replace("\n","<br>",$varia);
if (get_magic_quotes_gpc()) {$varia = stripslashes($varia);}
return $varia;}

Note that I work in UTF-8 environment. If you have many issues with special characters, make sure that you are in a free-hassle utf-8 environment (configure default charset in ini, httpd.conf, apache, mysql, etc.).

@NeilsPHP

First, you must be sure that text entered into your form have the correct encoding
<form accept-charset="utf-8" ...

Then, if you know what you variable are (integer, string, email address, etc.), you must always check them before any else. Below, rowstart is obligatory a number and and if it failed, then assign a default value.
if(isset($_GET["rowstart"]) AND $_GET["rowstart"]!="") {$rowstart=$_GET["rowstart"];
if(!numeric($rowstart)) {$rowstart="0";}} else {$rowstart="0";}

Regarding the file upload issues, just read [webmasterworld.com...] . You'll see that it is slightly different because your file variables are store in an array - $_FILES["uploaded_file"]

FromBelgium said
"I want to clean a variable of a query (no MySQL involved). For example link.php?input=value"

This is contradictory - Do you want to clean a value returned by a MySQL query or just clean a GET/POST variable ?

NeilsPHP




msg:3694765
 8:01 pm on Jul 9, 2008 (gmt 0)

One question here,
mysql_escape_string OR mysql_real_escape_string ?

Also,can I use a function modified(using all relevant commands from above) for BOTH purposes ?

eelixduppy




msg:3695113
 3:39 am on Jul 10, 2008 (gmt 0)

You'd want to use mysql_real_escape_string where you can. This takes into account the charset for the database connection that you are using.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved