tags:

views:

148

answers:

3
+2  Q: 

Sanitize contact form without mysql_real_escape_string

I normally use this function to sanitize my form inputs before storing them into my database:

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
    $str = @trim($str);
    if(get_magic_quotes_gpc()) {
        $str = stripslashes($str);
    }
    return mysql_real_escape_string($str);
}

Until today I didn't realize that mysql_real_escape_string required a database connection as I've only used it when I've been cleaning the data before storing it into the database.

I tried using the function on a contact form and got the "A link to the server could not be established" error. I could connect to the database but there is no need because I simply am trying to sanitize the data before it's being sent out to my e-mail via the contact form.

What is the best way to sanitize data that's not being stored in a mysql database and does this data still need to be sanitized?

+3  A: 

use filter_var()

http://php.net/manual/en/function.filter-var.php

a great tutorial :

http://www.phpro.org/tutorials/Filtering-Data-with-PHP.html

like if you want to sanitize an email:

$_POST['email'] =    filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);

to message 

$_POST['message'] = filter_var($_POST['message'], FILTER_SANITIZE_STRING);

is enogth

Haim Evgi  2010-08-09 05:09:14
what particular filters do you mean, please? there are so much of them
Col. Shrapnel  2010-08-09 05:33:22
ok stupid question, I looked at the turorial but I'm still confused mostly on what methods of sanitation to use right now I have this: please let me know if that's a correct/good way to do it. `//get submitted data $name = filter_var($_POST['name'],FILTER_SANITIZE_SPECIAL_CHARS);$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);$message = filter_var(nl2br($_POST['message']),FILTER_SANITIZE_SPECIAL_CHARS);`is FILTER_SANITIZE_SPECIAL_CHARS enough or should I also/use instead FILTER_SANITIZE_MAGIC_QUOTES
BandonRandon  2010-08-09 05:38:52
A: 

The purpose of sanitizing the data with mysql_real_escape_string is to avoid SQL injection. If you're not using SQL, you're already immune.

Men don't get cervical cancer.

Use a sanitization function appropriate to the special characters you need to avoid. Ideally, don't strip something which won't cause harm.

Borealid  2010-08-09 05:10:45
mysql_real_escape_string alone do not help anything
Col. Shrapnel  2010-08-09 05:21:21
A: 

The whole concept is wrong. This function doesn't help not for email not even for database.

mysql_real_escape_string do not "sanitize" anything. It is merely escape delimiters and nothing else. Just to prevent syntax errors if you have a delimiter in your data:

SELECT * FROM table WHERE name = 'it's me' # error!

after data being escaped, your data become 'it\'s me' and there is no error.
Therefore, this function works only with SQL query and for data, enclosed in quotes only.

Thus, there is no sense in doing just mysql_real_escape_string without having quotes around. mysql_real_escape_string should be used
a) alone. stuff like trim or stripslashes has nothing to do here
b) right before query string composing and not elsewhere
c) only with data that going to be enclosed in quotes.
d) all other data need another ways of sanitization

As for the email, you don't need any sanitization it you send it as plain text. The only precaution you have to take is against mail injection
Not a big deal though. Just put user input into message body only. not into subject, to or from or any other header. Message body only. And you are safe

Col. Shrapnel  2010-08-09 05:16:53
What? Always use sanitation. Never trust user input. Such advice assumes that a) there's no way to inject a different header into the script (if you're not sanitizing the input, how do you know for sure?) and b) that all mail clients will do the right thing even with a text/plain header. I seriously doubt that.
Cfreak  2010-08-09 05:24:37
@Cfreak the only sensible point here is about some odd mail clients. Got one as example? But you "never trust user input" mindless prayer is indeed funny. Why not to get some experience before judge others?
Col. Shrapnel  2010-08-09 05:54:05

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases