function to sanitise user input

Forum Moderators: coopster

Message Too Old, No Replies

function to sanitise user input

Does anyone have a one-size-fits all function?

ashishp

4:40 pm on Sep 13, 2006 (gmt 0)

Hi,

I have seen a lot of threads offering various tips to sanitise user input, has anyone ever compiled a generic or one-size-fits all function that be called on $_POST, $_GET, etc...to sanitise the user input for use in processing form input, SQL etc?

Thanks in advance...

-- AP

eelixduppy

7:21 pm on Sep 13, 2006 (gmt 0)

When using vars within a SQL query you must use mysql_real_escape_string [us3.php.net]. An example:


$query = "SELECT * FROM users where Uname = '".mysql_real_escaep_string($_POST['username'])."'";

Hope this explains a little. You may also want to refer to Database Security [us2.php.net] from php.net.

Good luck!

ashishp

6:12 am on Sep 24, 2006 (gmt 0)

Thanks!

That is one aspect of the issue, however I was looking for a more generic solution which could be plugged into the form processing code, like:


function sanitize_input ($UserInput){// replace newlines with strings
// add/remove slashes
// check and eliminate any malicious characters
// mysql_real_escape the input if reqired
// return the input in an optional different array}

which could then be used in a form processing script like so:


$f_user_input = sanitize_input($_POST);

and then:


$query = $db->query("select * from database.table where username like '$f_user_input[name]'");

essentially all the filtering, checking happens inthe function..

Thanks in advance...

jatar_k

2:45 pm on Sep 24, 2006 (gmt 0)

I heard about this class
[phpclasses.org...]

called 'phalidate'

ahmedtheking

9:47 pm on Sep 24, 2006 (gmt 0)

Lol! Stop being lazy and write one yourself!

I use a generic solution for my CMS. Nice and easy, but I base64 encoode any data that's from the public to my DB (such as web forms) to stop SQL injection and so on!

It can be done very easily, but it's just finding the time to do it! ++ when you write it yourself, you know it inside and out, whereas if someone else writes it for you, there's always that awkwardness with knowing what to do and how to use it!

jatar_k

3:29 pm on Sep 25, 2006 (gmt 0)

>> Stop being lazy and write one yourself!

well to be honest, unless you are highly proficient with data washing I really don't think this is the best idea. The benefit of using a predefined class is that you have the advantage of someone else's vast experience.

It is very difficult for someone who isn't proficient at this to not know all the eventualities you need to code for.

I suggest that for any sanitation class/function you use, you read it to understand exactly what it is doing. I also suggest you log all failures to better analyze what data is getting denied and why.