views:

148

answers:

3

I normally use this function to sanitize my form inputs before storing them into my database:

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
    $str = @trim($str);
    if(get_magic_quotes_gpc()) {
        $str = stripslashes($str);
    }
    return mysql_real_escape_string($str);
}

Until today I didn't realize that mysql_real_escape_string required a database connection as I've only used it when I've been cleaning the data before storing it into the database.

I tried using the function on a contact form and got the "A link to the server could not be established" error. I could connect to the database but there is no need because I simply am trying to sanitize the data before it's being sent out to my e-mail via the contact form.

What is the best way to sanitize data that's not being stored in a mysql database and does this data still need to be sanitized?

+3  A: 

use filter_var()

http://php.net/manual/en/function.filter-var.php

a great tutorial :

http://www.phpro.org/tutorials/Filtering-Data-with-PHP.html

like if you want to sanitize an email:

$_POST['email'] =    filter_var($_POST['email'], FILTER_SANITIZE_EMAIL); 

to message

$_POST['message'] = filter_var($_POST['message'], FILTER_SANITIZE_STRING);

is enogth

Haim Evgi
what particular filters do you mean, please? there are so much of them
Col. Shrapnel
ok stupid question, I looked at the turorial but I'm still confused mostly on what methods of sanitation to use right now I have this: please let me know if that's a correct/good way to do it. `//get submitted data $name = filter_var($_POST['name'],FILTER_SANITIZE_SPECIAL_CHARS);$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);$message = filter_var(nl2br($_POST['message']),FILTER_SANITIZE_SPECIAL_CHARS);`is FILTER_SANITIZE_SPECIAL_CHARS enough or should I also/use instead FILTER_SANITIZE_MAGIC_QUOTES
BandonRandon
A: 

The purpose of sanitizing the data with mysql_real_escape_string is to avoid SQL injection. If you're not using SQL, you're already immune.

Men don't get cervical cancer.

Use a sanitization function appropriate to the special characters you need to avoid. Ideally, don't strip something which won't cause harm.

Borealid
mysql_real_escape_string alone do not help anything
Col. Shrapnel
A: 

The whole concept is wrong. This function doesn't help not for email not even for database.

mysql_real_escape_string do not "sanitize" anything. It is merely escape delimiters and nothing else. Just to prevent syntax errors if you have a delimiter in your data:

SELECT * FROM table WHERE name = 'it's me' # error!

after data being escaped, your data become 'it\'s me' and there is no error.
Therefore, this function works only with SQL query and for data, enclosed in quotes only.

Thus, there is no sense in doing just mysql_real_escape_string without having quotes around. mysql_real_escape_string should be used
a) alone. stuff like trim or stripslashes has nothing to do here
b) right before query string composing and not elsewhere
c) only with data that going to be enclosed in quotes.
d) all other data need another ways of sanitization

As for the email, you don't need any sanitization it you send it as plain text. The only precaution you have to take is against mail injection
Not a big deal though. Just put user input into message body only. not into subject, to or from or any other header. Message body only. And you are safe

Col. Shrapnel
What? Always use sanitation. Never trust user input. Such advice assumes that a) there's no way to inject a different header into the script (if you're not sanitizing the input, how do you know for sure?) and b) that all mail clients will do the right thing even with a text/plain header. I seriously doubt that.
Cfreak
@Cfreak the only sensible point here is about some odd mail clients. Got one as example? But you "never trust user input" mindless prayer is indeed funny. Why not to get some experience before judge others?
Col. Shrapnel