Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    Regular Coder
    Join Date
    Dec 2005
    Posts
    217
    Thanks
    1
    Thanked 0 Times in 0 Posts

    is this filtering secure ??

    Hello forums !!
    I would like to know if i am doing right for security purposes or not.
    For any user submitted datas ($_POST & $_GET) I used to perform as
    PHP Code:
    $_POST filter_input($_POST);
    // $_GET = filter_input($_GET);
    // then after use that submitted data for queries as
    $sql "INSERT INTO `table_name` (field1, field2) VALUES('".$_POST['field1']."', "'.$_POST['field2'].'")";

    // filter_input function
    function filter_input(){
        if(
    is_array($arg)){
            foreach(
    $arg as $key => $value){                    
                if(
    is_array($value)){
                    for(
    $i 0$i count($value); $i++){                        
                        
    $arg[$key][$i] = mysql_real_escape_string(htmlentities(trim($value[$i]), ENT_QUOTES,'UTF-8'));
                    }
                }else{
                    
    $arg[$key] = mysql_real_escape_string(htmlentities(trim($value), ENT_QUOTES,'UTF-8'));
                }                
            }    
            return 
    $arg;
        }elseif(
    is_string($arg)){
            
    $arg mysql_real_escape_string(htmlentities(trim($arg),ENT_QUOTES,'UTF-8'));
            return 
    $arg;
        }else{
            return 
    $arg;
        }    

    My Questions?
    - is this secure filter or not ?

    Thanks in advance for your valuable suggestions.
    Last edited by PHPycho; 01-03-2008 at 08:46 AM.

  • #2
    Mega-ultimate member
    Join Date
    Jun 2002
    Location
    Winona, MN - The land of 10,000 lakes
    Posts
    1,855
    Thanks
    1
    Thanked 45 Times in 42 Posts
    Personally, I use a function that I call "check_data" for any input. It takes 2 arguments, the text to "clean" and the validation to run.

    PHP Code:
    function check_data($t,$v) {
        switch(
    $v) {
            case 
    "text":
                if(
    preg_match("/\W/",$t)) {
                    return 
    false;
                }
                else {
                    return 
    true;
                }
                break;
            .
            .
            .    
        }

    It has all sorts of validation "cases" for anything from numbers, to text, phone, zips, email, web addresses, etc. I just run all my data through this function to check it before running a query, or passing the data to another app (file system call, etc).


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •