Comments on: Securing User Input in PHP http://query7.com/securing-user-input-in-php/ Just another WordPress weblog Sat, 22 Nov 2008 07:22:03 +0000 http://wordpress.org/?v=2.6.3 By: Panzer http://query7.com/securing-user-input-in-php/#comment-217 Panzer Mon, 21 Apr 2008 19:30:32 +0000 http://www.query7.com/?p=19#comment-217 Thats a good point, about not being able to use mysql_real_escape if you don't use MySQL in the first place. Thats a good point, about not being able to use mysql_real_escape if you don’t use MySQL in the first place.

]]> By: Web Development Blog http://query7.com/securing-user-input-in-php/#comment-216 Web Development Blog Mon, 21 Apr 2008 19:09:29 +0000 http://www.query7.com/?p=19#comment-216 Its an alright function, but you can't alway use mysql_real_escape_string, when it comes down to input security. Some sites might not use sql. Also, you might need to check if magic quotes is on before stripping slashes :). Heres something I've writing in the past. function input_sanatize($data,$trim=true,$type=1) { if( is_array($data) ) { for($x=0;$x<sizeof($data);$x++) { $data[$x] = input_sanatize($data[$x],$trim,$type); } return $data; } else { $data = get_magic_quotes_gpc() ? stripslashes($data) : $data; $data = $trim === true ? trim($data) : $data; switch( $type ) { case 1: $data = mysql_real_escape_string($data); break; case 2: default: $data = htmlentities($data, ENT_QUOTES,'UTF-8'); break; } } return $data; } Regards, -Lamonte Its an alright function, but you can’t alway use mysql_real_escape_string, when it comes down to input security. Some sites might not use sql. Also, you might need to check if magic quotes is on before stripping slashes :).

Heres something I’ve writing in the past.

function input_sanatize($data,$trim=true,$type=1)
{
if( is_array($data) )
{
for($x=0;$x<sizeof($data);$x++)
{
$data[$x] = input_sanatize($data[$x],$trim,$type);
}
return $data;
}
else
{
$data = get_magic_quotes_gpc() ? stripslashes($data) : $data;
$data = $trim === true ? trim($data) : $data;
switch( $type )
{
case 1:
$data = mysql_real_escape_string($data);
break;
case 2:
default:
$data = htmlentities($data, ENT_QUOTES,’UTF-8′);
break;
}
}
return $data;
}

Regards,
-Lamonte

]]>