Welcome to WebmasterWorld Guest from 54.167.252.62

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Cleaning input

     
7:41 pm on Jul 2, 2008 (gmt 0)

10+ Year Member



Below code I found on WebmasterWorld but its is not clear for me if this code cleans all input (and do I put it before $input=$_GET['input']) or do I have to apply the function to all inputs (for example Clean($_GET['input'])?

function Clean($string){
if (get_magic_quotes_gpc())
{
return $string;
}
else
{
return mysql_real_escape_string($string);
}
$string = trim($string);
$string = safeEscapeString($string);
$string = htmlentities($string);
return $string;
}
foreach($_POST as $name1 => $value){
$_POST[$name1] = Clean($value);
}
foreach($_GET as $name1 => $value){
$_GET[$name1] = Clean($value);
}
foreach($_COOKIE as $name1 => $value){
$_COOKIE[$name1] = Clean($value);
}
foreach($_REQUEST as $name1 => $value){
$_REQUEST[$name1] = Clean($value);
}

8:38 pm on Jul 2, 2008 (gmt 0)

5+ Year Member



I don't see how that function is doing anything after the first if statement. Because it's going to return something no matter what and the rest of the code is going to be ignored.

I think I would do this:

function clean($s) {
if (get_magic_quotes_gpc())
$s = stripslashes($s);
return mysql_real_escape_string($s)
}

And you can use this like you said,

clean($_GET['input']);

5:02 am on Jul 3, 2008 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Also magic_quotes is no substitute for mysql_real_escape_string. As magic_quotes is not multibyte safe, so can easily be bypassed, however mysql_real_escape_string is multibyte safe.

So magic_quotes is a last resort not your first.

Mysql_real_escape_string is the better method; also doesnt lead to having to strip slashes on all of your output.

7:39 am on Jul 3, 2008 (gmt 0)

WebmasterWorld Senior Member dreamcatcher is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Also, so long as your array isn`t recursive, you don`t need a foreach loop:

$_POST = array_map [uk2.php.net]('Clean',$_POST);

If its recursive you`ll need a custom function.

dc

8:26 am on Jul 3, 2008 (gmt 0)

10+ Year Member



Thanks for your advice!
With "return mysql_real_escape_string($s)" I get error:
Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock'

I want to clean a variable of a query (no MySQL involved). For example link.php?input=value

1:20 pm on Jul 3, 2008 (gmt 0)

5+ Year Member



What is the variable being used for?

If you just wanna get rid of the: \'

To clean it you just would do stripslashes($_GET['q'])

5:51 pm on Jul 3, 2008 (gmt 0)

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 5+ Year Member



If you are going to use the function above, you should pass the link variable to it by reference like the following:

function clean($s, &$link) {
if (get_magic_quotes_gpc())
$s = stripslashes($s);
return mysql_real_escape_string($s, $link)
}

This should work properly :)

6:42 pm on Jul 3, 2008 (gmt 0)

10+ Year Member



The functions mysql_real_escape_string only works when the database is open, otherwise I get error "Can't connect to local MySQL server through socket ". So how to sanitize input on pages without database? The variable is part of the dynamic URL and is required to build HTML code, depending on value of variable.
Will $string = htmlentities($_GET['string']) be enough?

I got message from my host that my variable was expoited by a spammer.

7:09 pm on Jul 3, 2008 (gmt 0)

10+ Year Member



To receive unexpected strings from $_GET is bad for business.
If you can to collate it against a set of expected strings then could be enough htmlentities or htmlspecialchars.

If you want to save it on db try something like this:

# clean GET!
# ----------
$_SERVER['REQUEST_URI'] = str_replace("'", '', $_SERVER['REQUEST_URI']);

spammers are the worst >:O

2:47 pm on Jul 9, 2008 (gmt 0)

redhat



The following 2 messages were cut out to new thread by eelixduppy. New thread at: php/3694440.htm [webmasterworld.com]
11:12 am on July 9, 2008 (est -4)
3:42 pm on Jul 9, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



This is my function to clean variable for MySQL query (with explanation for NeilsPHP)
function clean_sql($varia) {
// REMOVE BLANK SPACE
$varia=rtrim($varia);
$varia=ltrim($varia);
// REMOVE HTML TAGS
$varia=strip_tags($varia);
// CHECK IF GET_MAGIC_QUOTE IS ON AND STRIP SLASH ACCORDINGLY
if (get_magic_quotes_gpc()) {$varia = stripslashes($varia);}
// CLEAN SPECIFICALLY FOR MYSQL QUERY
$varia = mysql_escape_string($varia);
return $varia;}

If you variable is not used for Mysql query but it is shown in your HTML webpage, then a simple function with htmlentities would be better

function clean($varia) {
$varia=rtrim($varia);
$varia=ltrim($varia);
// CHANGE SPECIAL CHARACTERS INTO HTML ENTITIES
$varia=htmlentities($varia, ENT_QUOTES);
$varia=str_replace("\n","<br>",$varia);
if (get_magic_quotes_gpc()) {$varia = stripslashes($varia);}
return $varia;}

Note that I work in UTF-8 environment. If you have many issues with special characters, make sure that you are in a free-hassle utf-8 environment (configure default charset in ini, httpd.conf, apache, mysql, etc.).

@NeilsPHP

First, you must be sure that text entered into your form have the correct encoding

<form accept-charset="utf-8" ...

Then, if you know what you variable are (integer, string, email address, etc.), you must always check them before any else. Below, rowstart is obligatory a number and and if it failed, then assign a default value.

if(isset($_GET["rowstart"]) AND $_GET["rowstart"]!="") {$rowstart=$_GET["rowstart"];
if(!numeric($rowstart)) {$rowstart="0";}} else {$rowstart="0";}

Regarding the file upload issues, just read [webmasterworld.com...] . You'll see that it is slightly different because your file variables are store in an array - $_FILES["uploaded_file"]

FromBelgium said

"I want to clean a variable of a query (no MySQL involved). For example link.php?input=value"

This is contradictory - Do you want to clean a value returned by a MySQL query or just clean a GET/POST variable ?
8:01 pm on Jul 9, 2008 (gmt 0)

5+ Year Member



One question here,
mysql_escape_string OR mysql_real_escape_string ?

Also,can I use a function modified(using all relevant commands from above) for BOTH purposes ?

3:39 am on Jul 10, 2008 (gmt 0)

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 5+ Year Member



You'd want to use mysql_real_escape_string where you can. This takes into account the charset for the database connection that you are using.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month