1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 12:36 pm Apr 28, 2026

Forum Moderators: coopster

Message Too Old, No Replies

Santizer code - efficient?

         

adammc

4:07 am on Jul 16, 2010 (gmt 0)

10+ Year Member



Hi guys,

Can someone please tell me if this code I am suing to sanitize submitted form data is efficient and or outdated? 

function cleaner($data)
  {
    if(is_array($data))
    {
      $ret = array();
      foreach($data as $key=>$value)
      {
        $ret[$key] = cleaner($value);
      }
      return $ret;
    }
    else
    {
      if(!is_numeric($data))
      {
        if(get_magic_quotes_gpc())
        {
          $data = stripslashes($data);
        }
        $data = mysql_real_escape_string($data);
      }
      return $data;
    }
  }



// declare the variables and clean
$name = $clean['name'];
$email_address = $clean['from'];


Also is there another way of declaring / cleaning the submitted varaibles instead of having to type out each form field like above to clean it?

It would be greate to to be able to access the name variable '$name' without having to type out that full declaration / cleaning code (considering my form might have 20 fields) ;)

Any help woould be greatly appreciated :)

UserFriendly

4:48 am on Jul 16, 2010 (gmt 0)

10+ Year Member



Have you thought about using a PEAR extension such as HTML_QuickForm2:

[pear.php.net...]

This will let you declare the fields in a form, and it should then offer methods that report on whether the submitted data is valid.

Something like this is likely used and bug-tested by dozens of people regularly, so it'll be a lot safer and more elegant than trying to write new code from scratch.

adammc

5:23 am on Jul 16, 2010 (gmt 0)

10+ Year Member



I was actuall yafter somehting I have control over, thanks all the same.

I develop many sites and each is vastly different.

can anyone else possibly help?

Matthew1980

7:13 am on Jul 16, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hi there adammc,

Are you just trying to sanitise data from form submission - and URL data? So basically you are needing to do $_POST & $_GET?

If so, there is no need to pass their values into the function as they are already available there if the data is set & holds value...

I personally use this type of thing, and this can vary depending on what you are coding as a project & the context of data being submitted:-


function CleanData($dataBaseConn){
//Use the callback function in array map to make things efficient :)
$_POST = array_map('strip_tags', $_POST);
$_POST = array_map('trim', $_POST);

//use this function ONLY if there is a valid connection handle about, otherwise it won't function :)
if($dataBaseConn){
$_POST = array_map('mysql_real_escape_string', $_POST);
}

//Check magic quotes is on, if so use it, again, depending on context of data
//This may not be the best place to use this, might as well just use this
//just before database query....
if(get_magic_quotes_gpc())
{
$_POST = array_map('stripslashes',$_POST);
}
//Return data - cleansed :)

return $_POST;

}


You can just substitute the $_POST with $_GET - but you see the logic in use there..

And instead of using is_int() or is_numeric() you are best off using something like preg_match because then you can be more precise about what you are after catching as 'legal' or 'illegal' data. As I found out the other day, is_numeric is not as strict as you would think


if(!preg_match('/^[\d]+$/', $_POST['key_name'])){
//not numerical data in here :)
}

Hope that helps a little.

Cheers,
MRb

adammc

9:06 am on Jul 16, 2010 (gmt 0)

10+ Year Member



Thanks for the great reply :)

$_POST = array_map('strip_tags', $_POST);
$_POST = array_map('trim', $_POST);

So this trims whitespace and removes nasty html from all posted variables? Right?


//use this function ONLY if there is a valid connection handle about, otherwise it won't function :)
if($dataBaseConn){
$_POST = array_map('mysql_real_escape_string', $_POST);
}

Sorry not sure what this code above is actually doing?


How do I then access the cleansed variables for mysql insertion?

Matthew1980

9:56 am on Jul 16, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hi there adammc,

Yes, it trims white space from the data inputted to it, and takes out any HTML tags that are supported by strip_tags current remit :) at least I don't think it has changed much from version to version of PHP...

>>Sorry not sure what this code above is actually doing?

Ok, basically if there is no connection handle to the database going/available, the 'mysql_real_escape_string() will not function and will return an error, because it needs a connection handle in order to function :)

So all I am doing is checking the $dataConn (you need to replace that with your own connection reference) to see if it returns true (connection available, so use the function) or returns false (no connection available - don't use) but having the else clause there wouldn't be logical, so I always just use a clause to catch only if true. I hope that makes sense ;)

The function there returns the ENTIRE $_POST array cleansed for use, because you are effectively overwriting it with the data clensed, and as it's a superglobal, it's available throughout your script (so long as it's set obviously), so Ideally you would call the function just after catching the form being processed or after validity checks have passed, thats up to you. Play around with it, you will see what I mean :)

Cheers,
MRb

adammc

10:07 am on Jul 16, 2010 (gmt 0)

10+ Year Member



Awesome!

So if my form posted a field called email...
I would access the cleansed version of it using $email or $_POST['email']

adammc

10:45 am on Jul 16, 2010 (gmt 0)

10+ Year Member



Oh! didnt ealise you use it the same as I was:

// run the filter function to clean posted variables for header injection
// We then need to access each POSTED variable like this:
$clean = CleanData($_POST);


// declare the variables and clean
$authors_email = $clean['authors_email'];
$authors_email = trim($authors_email); // trim any whitespace

adammc

10:46 am on Jul 16, 2010 (gmt 0)

10+ Year Member



Any idea why this function will not validate a valid email?

// function used to validate email accounts - also looks up domain name

function checkEmail($email) {
if(preg_match("/^( [a-zA-Z0-9] )+( [a-zA-Z0-9\._-] )*@( [a-zA-Z0-9_-] )+( [a-zA-Z0-9\._-] +)+$/" , $email)){
list($username,$domain)=split('@',$email);
if(!getmxrr ($domain,$mxhosts)){
return false;


// Check for an email address & make sure there are no errors.
if(!checkEmail($authors_email)) {
$error .= "Invalid email address!";
}
}
return true;
}
return false;
}

adammc

11:29 am on Jul 16, 2010 (gmt 0)

10+ Year Member



Nevermind, found this great class!
[code.google.com...]

Thanks for your help :)

Matthew1980

11:52 am on Jul 16, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hi there adammc,

Have a read of this thread to see alternatives on preg_match for email validation:-
[webmasterworld.com ]

Er, no. You would access the data like this: echo $_POST['email']; or echo $_POST['name']; AS LONG as the function is call before this declaration, the $_POST array has been overwritten with the cleansed data, you don't even need to assign it to vars, I find this saves RAM, as it's just temporary ;)

<?php
if(isset($_POST['submit']) && ($_POST['submit'] == "send form")){
//$_POST vars not clean this side of the function call
echo $_POST['name'];
cleanData();
//Woo data is now clean!

echo $_POST['name'];
}
?>

Try that example to see what I mean, try it with the function missing, and then try it with it declared see the difference in entering html into the name field - works for me...

Cheers,
MRb

adammc

12:19 pm on Jul 16, 2010 (gmt 0)

10+ Year Member



Thank you so much for your help. I tested it, looks GREAT!
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 12:36 pm Apr 28, 2026