views:

91

answers:

3

I have a form with a lot of variables which is then sending an email, rather than sanitizing each $_POST value with filter_var($_POST['var'], FILTER_SANITIZE_STRING); I was after a more simple piece of code. I came up with the below, which seems to work as I believe the default action is FILTER_SANITIZE_STRING, but I was just wondering what peoples opinions are, and if this is not good practice, perhaps you could tell me why? The $_POST values are then individually embedded into new variables, so I would only be using array_map just at the start to sanitize everything...

$_POST = array_map('filter_var', $_POST);

Thank you for your replies, to give you a little more information, basically:

I have 20-30 input fields in a form which are being captured, the data is then displayed to the user to check their input, variables are then sanitized, the user is then sent an email and then finally the details are entered into a db.

currently I am sanitizing using the above array_map function, as well as FILTER_SANITIZE_EMAIL on the email address before sending an email and then escaping the input using mysql_real_escape_string() before the insert into the db. Without getting into prepared statements etc.. do you think I should be doing anything additionally? thanks again!

+2  A: 

Depends what its being used for.

If you are inserting it into the database then mysql_real_escape_string() for quoted strings and type casting for numbers would be the way to go - well ideally prepared statements, but thats an entirely different matter.

If you plan on outputting the data onto the webpage then I would recommend something like htmlspecialchars()

If you plan on using the user input as a shell argument, then you would use escapeshellarg()

Moving onto your question about sending emails. Well, the following should suffice:

filter_var($_POST['message'], FILTER_SANITIZE_STRING);

All this does is basically strip tags and encode special characters.

Russell Dias
Good answer. I'll just add that if you're going to allow user-input to your webpage, consider using strip_tags() to prevent people from throwing in <script>.
Andrioid
Care to explain the downvote?
Russell Dias
A: 

There is no magic bullet, unfortunately. It's impossible to adapt sanitation on a value without knowing what kind of value it is.

  • Against SQL injection you might want to make sure no escape tags make it towards your database. This can be achieved with mysql_real_escape_string() for quoted strings and type casting for numbers or using prepared statements (ODB or MySQLi).
  • People injecting tags (javascript, html) into your page might also be something to avoid. strip_tags() can help with that.
  • Then it boils down to what kind of field you're expecting. Regular Expressions are generally the way to make sure you're getting what you expected.

If you're searching for the easiest way, you could stick with filter_var() or write your own method that knows your basic types.

Andrioid
+1  A: 

There is no correct way to do blanket sanitation. What sanitation method you need depends on what is done to the data.

Sanitize the data directly before it is used.

Pekka
thanks,i realise this, I am just trying to achieve this without writing lots of repetitive code...
SirG
@SirG: by al means validate input, but you should only ever apply sanitization transformations to data when it **leaves** PHP - and the method should be appropriate to where the data is going (mysql_real_escape_string(), htmlentities(), urlencode(), base64)_encode(), escapeshellarg(), addslashes()....etc all do **different** things)
symcbean
@symcbean, thanks for the answer, so would filter_var be suitable to apply just before sending an email via php's mail function ? cheers.
SirG
Maybe - you can validate an email address with filter_var - but you can't validate the body of an email, subject or additional headers. The MTA should take care of the former but the latter 2 are both targets for header injection which can compromise your application.
symcbean