Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Cleaning all Inputs

11:27 pm on Sep 20, 2011 (gmt 0)

I'm looking for a secure way of cleaning all inputs on my site. I have a function that works but it's long winded, I'm hoping there's a way of doing for each $_POST.

Here's what I've for at the minute:

function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
return mysql_real_escape_string($str);

and then after that I use:

$post1 = clean($_POST['post1']);
$post2 = clean($_POST['post2']);
$post3 = clean($_POST['post3']);
$post4 = clean($_POST['post4']);

If there's an easier way to do this I'd love to use it.
4:44 pm on Sep 21, 2011 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

For starters, you can modify the $_POST variables directly. No need to store them in new variables, all this does is take up more memory and makes for more programming work.

foreach ($_POST as $key => $value) {
$_POST[$key] = clean($value);

The only real down side of that is you'd need to "undo" the alterations if you want to display the post variables on a page afterward. They\'d <- probably look like that. :-) In that case,

$qs = Array();
foreach ($_POST as $key => $value) {
$qs[$key] = clean($value);

... and use $qs from that point forward.

A few things about your clean routine: it will **only** work if you've previously opened a mySQL connection (mysql_real_escape_string) and appears to do some basic database cleansing but doesn't really "cleanse" the data for other types of attacks. But it's a good start.
7:51 pm on Sep 21, 2011 (gmt 0)

5+ Year Member

To prevent sql injection and xss attacks, you might add something like this:

$str = strip_tags($str);
$str = preg_replace("/[':&#()]/","",$str);

It is probably not a complete list, but it's a start. I'd love to see somebody tell me how to improve it.
10:21 pm on Sep 21, 2011 (gmt 0)

You've knocked it on there head there jborder "improve it". That's exactly what I'm looking for. I've read loads of articles but none seem to be conclusive.

Does anybody know of a function pre written that covers all bases?
7:02 am on Sep 22, 2011 (gmt 0)

10+ Year Member

I found this on net: htmlpurifier

I never tried it, so I don't know if it's good or bad. You may try and let us know.
7:35 am on Sep 22, 2011 (gmt 0)

How about something like this? This recursively sanitizes variables. Useful for multi dimensional arrays like for example $_REQUEST, $_POST and $_GET.

// Note:
// A MySQL connection is required before using // mysql_real_escape_string() otherwise an error of level E_WARNING is // generated, and FALSE is returned. If link_identifier isn't defined, // the last MySQL connection is used.
* Filters variable to make it safe for insertion into a query.
* Will filter strings and arrays (recursivly).
* @param mixed $input
* @param boolean $filterHtml = true Should html and php tags be stripped from the input?
* @return mixed
function sqlescape($input, $filterHtml = true) {
if(!is_array($input)) {
if($filterHtml) {
return mysql_real_escape_string(strip_tags($input));
} else {
return mysql_real_escape_string($input);
} else {
foreach($input as $key => $value) {
$input[$key] = sqlescape($value, $filterHtml);
return $input;
8:15 am on Sep 22, 2011 (gmt 0)

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

>>Does anybody know of a function pre written that covers all bases?

no, to be really safe you should customise your 'cleaning' functions to suite each input...

if you expect an integer then test for an integer.
if you expect a month in the format 01-12 then test for that.
if you expect a text field with a maximum of 64 characters make sure you also test for a string with maximum length of 64.
ensure you only allow the characters that you want (eg you might want to disallow html for many good reasons)

what rocknbil said is a good shortcut although i always do something like:
$clean_post1 = clean($_POST['post1']);

this way i never accidently use a variable for a database insert that hasn't already been cleaned. (using an array like Oxidiser said also makes sense)

it is more long winded to test the data properly, if you don't you are building up trouble for the future one way or another - even if just from having wrong data inserted into your database fields
4:12 pm on Sep 22, 2011 (gmt 0)

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

^ ^ Precisely, "it depends" on what the input is. "Every user input is a potential hack" and "Accept only what you want and throw everything else away" - Selena Sol

Featured Threads

Hot Threads This Week

Hot Threads This Month