tags:

views:

393

answers:

5
Q: 

cleaning $_POST variables

I'm trying to come up with a way to effectively easily clean all POST and GET variables with a single function. Here's the function itself:

//clean the user's input
function cleanInput($value, $link = '')
{
    //if the variable is an array, recurse into it
    if(is_array($value))
    {
     //for each element in the array...
     foreach($value as $key => $val)
     {
      //...clean the content of each variable in the array
      $value[$key] = cleanInput($val);
     }

     //return clean array
     return $value;
    }
    else
    {
     return mysql_real_escape_string(strip_tags(trim($value)), $link);
    }
}

And here's the code that would call it:

//This stops SQL Injection in POST vars
foreach ($_POST as $key => $value)
{
    $_POST[$key] = cleanInput($value, $link);
}

//This stops SQL Injection in GET vars
foreach ($_GET as $key => $value)
{
    $_GET[$key] = cleanInput($value, $link);
}

To me this seems like it should work. But for some reason it won't return arrays from some checkboxes I have in a form. They keep coming out blank.

I've tested my code without the above function and it works fine, I just want that added bit of security in there.

Thanks!

+2  A: 

Use filter_input if possible (php5 +) It keeps it a lot cleaner and as far as im aware you can sanitise and validate everything you could need using it.

You can use filter var array to filter the whole post array

filter_var_array($_POST, FILTER_SANITISE_STRING) //just an example filter

There are loads of different filter options available on the w3schools filter reference

Andi  2009-10-22 23:31:49
oh this is awesome! i've never seen this before :)
John  2009-10-22 23:41:34
this is best method if you have php5
seengee  2009-10-22 23:43:36
+1  A: 

unchecked checkboxes are not sent to the server.

you may use array_walk_recursive to do what you want

w35l3y  2009-10-22 23:41:08
+2  A: 

What you're doing isn't enough. See here.

ryeguy  2009-10-22 23:42:53
+1  A: 

to make the recursion more elegant you could use something like array_map for example:

$_POST = array_map('mysql_real_escape_string',$_POST);

Use filter var if you can though as these kind of approaches are generally bad, just an example though ;)

seengee  2009-10-22 23:43:09
A: 

This is the wrong way to go about cleaning input.

Applying blanket mysql escaping to absolutely everything in $_POST and $_GET is going to come back and bite you, if you still want to use the data after you've made a database query but you don't want the escape characters in there.

Use parameterised queries with mysqli or PDO and you will never need to use mysql_real_escape_string().

Ben James  2009-10-22 23:46:11
Even worse if you don't have a connection to the database already initiated.
alex  2009-10-22 23:53:20
I have the connection set up right above the function call, but you guys don't need to see what I've got there. ;-)
tscully  2009-10-22 23:58:31
see: http://php.net/manual/en/security.magicquotes.php
bucabay  2009-10-23 00:29:52

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases