Welcome to WebmasterWorld Guest from 50.17.117.221

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Cleaning input

     
7:41 pm on Jul 2, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 14, 2004
posts:111
votes: 0


Below code I found on WebmasterWorld but its is not clear for me if this code cleans all input (and do I put it before $input=$_GET['input']) or do I have to apply the function to all inputs (for example Clean($_GET['input'])?

function Clean($string){
if (get_magic_quotes_gpc())
{
return $string;
}
else
{
return mysql_real_escape_string($string);
}
$string = trim($string);
$string = safeEscapeString($string);
$string = htmlentities($string);
return $string;
}
foreach($_POST as $name1 => $value){
$_POST[$name1] = Clean($value);
}
foreach($_GET as $name1 => $value){
$_GET[$name1] = Clean($value);
}
foreach($_COOKIE as $name1 => $value){
$_COOKIE[$name1] = Clean($value);
}
foreach($_REQUEST as $name1 => $value){
$_REQUEST[$name1] = Clean($value);
}

8:38 pm on July 2, 2008 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 5, 2008
posts:112
votes: 0


I don't see how that function is doing anything after the first if statement. Because it's going to return something no matter what and the rest of the code is going to be ignored.

I think I would do this:

function clean($s) {
if (get_magic_quotes_gpc())
$s = stripslashes($s);
return mysql_real_escape_string($s)
}

And you can use this like you said,

clean($_GET['input']);

5:02 am on July 3, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:July 12, 2007
posts:766
votes: 0


Also magic_quotes is no substitute for mysql_real_escape_string. As magic_quotes is not multibyte safe, so can easily be bypassed, however mysql_real_escape_string is multibyte safe.

So magic_quotes is a last resort not your first.

Mysql_real_escape_string is the better method; also doesnt lead to having to strip slashes on all of your output.

7:39 am on July 3, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member dreamcatcher is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 30, 2003
posts:3719
votes: 0


Also, so long as your array isn`t recursive, you don`t need a foreach loop:

$_POST = array_map [uk2.php.net]('Clean',$_POST);

If its recursive you`ll need a custom function.

dc

8:26 am on July 3, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 14, 2004
posts:111
votes: 0


Thanks for your advice!
With "return mysql_real_escape_string($s)" I get error:
Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock'

I want to clean a variable of a query (no MySQL involved). For example link.php?input=value

1:20 pm on July 3, 2008 (gmt 0)

Junior Member

5+ Year Member

joined:Jan 5, 2008
posts:112
votes: 0


What is the variable being used for?

If you just wanna get rid of the: \'

To clean it you just would do stripslashes($_GET['q'])

5:51 pm on July 3, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 12, 2005
posts:5966
votes: 0


If you are going to use the function above, you should pass the link variable to it by reference like the following:

function clean($s, &$link) {
if (get_magic_quotes_gpc())
$s = stripslashes($s);
return mysql_real_escape_string($s, $link)
}

This should work properly :)

6:42 pm on July 3, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 14, 2004
posts:111
votes: 0


The functions mysql_real_escape_string only works when the database is open, otherwise I get error "Can't connect to local MySQL server through socket ". So how to sanitize input on pages without database? The variable is part of the dynamic URL and is required to build HTML code, depending on value of variable.
Will $string = htmlentities($_GET['string']) be enough?

I got message from my host that my variable was expoited by a spammer.

7:09 pm on July 3, 2008 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 22, 2005
posts:185
votes: 0


To receive unexpected strings from $_GET is bad for business.
If you can to collate it against a set of expected strings then could be enough htmlentities or htmlspecialchars.

If you want to save it on db try something like this:

# clean GET!
# ----------
$_SERVER['REQUEST_URI'] = str_replace("'", '', $_SERVER['REQUEST_URI']);

spammers are the worst >:O

System

2:47 pm on July 9, 2008 (gmt 0)

redhat

 
 


The following 2 messages were cut out to new thread by eelixduppy. New thread at: php/3694440.htm [webmasterworld.com]
11:12 am on July 9, 2008 (est -4)
3:42 pm on July 9, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 7, 2004
posts: 929
votes: 0


This is my function to clean variable for MySQL query (with explanation for NeilsPHP)
function clean_sql($varia) {
// REMOVE BLANK SPACE
$varia=rtrim($varia);
$varia=ltrim($varia);
// REMOVE HTML TAGS
$varia=strip_tags($varia);
// CHECK IF GET_MAGIC_QUOTE IS ON AND STRIP SLASH ACCORDINGLY
if (get_magic_quotes_gpc()) {$varia = stripslashes($varia);}
// CLEAN SPECIFICALLY FOR MYSQL QUERY
$varia = mysql_escape_string($varia);
return $varia;}

If you variable is not used for Mysql query but it is shown in your HTML webpage, then a simple function with htmlentities would be better

function clean($varia) {
$varia=rtrim($varia);
$varia=ltrim($varia);
// CHANGE SPECIAL CHARACTERS INTO HTML ENTITIES
$varia=htmlentities($varia, ENT_QUOTES);
$varia=str_replace("\n","<br>",$varia);
if (get_magic_quotes_gpc()) {$varia = stripslashes($varia);}
return $varia;}

Note that I work in UTF-8 environment. If you have many issues with special characters, make sure that you are in a free-hassle utf-8 environment (configure default charset in ini, httpd.conf, apache, mysql, etc.).

@NeilsPHP

First, you must be sure that text entered into your form have the correct encoding

<form accept-charset="utf-8" ...

Then, if you know what you variable are (integer, string, email address, etc.), you must always check them before any else. Below, rowstart is obligatory a number and and if it failed, then assign a default value.

if(isset($_GET["rowstart"]) AND $_GET["rowstart"]!="") {$rowstart=$_GET["rowstart"];
if(!numeric($rowstart)) {$rowstart="0";}} else {$rowstart="0";}

Regarding the file upload issues, just read [webmasterworld.com...] . You'll see that it is slightly different because your file variables are store in an array - $_FILES["uploaded_file"]

FromBelgium said

"I want to clean a variable of a query (no MySQL involved). For example link.php?input=value"

This is contradictory - Do you want to clean a value returned by a MySQL query or just clean a GET/POST variable ?
8:01 pm on July 9, 2008 (gmt 0)

Junior Member

5+ Year Member

joined:June 19, 2008
posts:80
votes: 0


One question here,
mysql_escape_string OR mysql_real_escape_string ?

Also,can I use a function modified(using all relevant commands from above) for BOTH purposes ?

3:39 am on July 10, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 12, 2005
posts:5966
votes: 0


You'd want to use mysql_real_escape_string where you can. This takes into account the charset for the database connection that you are using.