views:

857

answers:

4

I'm wondering if there is a quick and easy function to clean get variables in my url, before I work with them.( or $_POST come to think of it... )

I suppose I could use a regex to replace non-permitted characters, but I'm interested to hear what people use for this sort of thing?

+1  A: 

I use the PHP input filters and the function urlencode.

Seamus
+2  A: 

Regular expressions can be helpful, and also PHP 5.2.0 introduced a whole filter extension devoted to filtering input variables in different ways.

It's hard to recommend a single solution, because the nature of input variables is so... variable. :-)

Bill Karwin
+5  A: 

The concept of cleaning input never made much sense to me. It's based on the assumption that some kinds of input are dangerous, but in reality there is no such thing as dangerous input; Just code that handles input wrongly.

The culprit of it is that if you embed a variable inside some kind of string (code), which is then evaluated by any kind of interpreter, you must ensure that the variable is properly escaped. For example, if you embed a string in a SQL-statement, then you must quote and escape certain characters in this string. If you embed values in a URL, then you must escape it with urlencode. If you embed a string within a HTML document, then you must escape with htmlspecialchars. And so on and so forth.

Trying to "clean" data up front is a doomed strategy, because you can't know - at that point - which context the data is going to be used in. The infamous magic_quotes anti-feature of PHP, is a prime example of this misguided idea.

troelskn
I've been using htmlentities instead of htmlspecialchars; it does full entity conversion.
Alex
That's OK from a security perspective - htmlentities is a superset of htmlspecialchars. You don't need it, if you are using UTF-8 as encoding, though.
troelskn
+1  A: 

I use the below method to sanitize input for MYSQL database use. To summarize, iterate through the $_POST or $_GET array via foreach, and pass each $_POST or $_GET through the DBSafe function to clean it up. The DBSafe could easily be modified for other uses of the data variables (e.g. HTML output etc..).

// Iterate POST array, pass each to DBSafe function to clean up data
foreach ($_POST as $key => $PostVal) {

  // Convert POST Vars into regular vars
  $$key=DBSafe($PostVal);

  // Use above statement to leave POST or GET array intact, and use new individual vars
  // OR, use below to update POST or GET array vars

  // Update POST  vars
  $_POST[$key]=DBSafe($PostVal);
}


function DBSafe($InputVal) {
// Returns MySQL safe values for DB update. unquoted numeric values; NULL for empty input; escaped, 'single-quoted' string-values; 

  if (is_numeric($InputVal)) {
    return $InputVal;
  } else {
    // escape_string may not be necessary depending on server PHP and MySQL (i.e. magic_quotes) setup.  Uncomment below if needed.
    // $InputVal=mysql_escape_string($InputVal);
    $InputVal=(!$InputVal?'NULL':"'$InputVal'");
    return $InputVal;
  }
}