[itdoell]

I downloaded a login script but I feel like it may be a little bit outdated, so I was wondering if this is a good way to sanitize post values or if there's a better way I should be doing it. I've already made a lot of heavy modifications to the script but I'm unsure about how I should be performing sanitation since my PHP skills are pretty lacking. Any help is appreciated, thank you.

	//Function to sanitize values received from the form. Prevents SQL injection
	function clean($str) {
		$str = @trim($str);
		if(get_magic_quotes_gpc()) {
			$str = stripslashes($str);
		}
		return mysql_real_escape_string($str);
	}
	
	//Sanitize the POST values
	$fname = clean($_POST['fname']);
	$lname = clean($_POST['lname']);
	$login = clean($_POST['login']);
	$password = clean($_POST['password']);
	$cpassword = clean($_POST['cpassword']);

[Valek]

Best way to do it is to use prepared statements, of course, because then all the hard stuff is done for you. All you have to do is build the query and bind the parameters, and watch it go.

It's worth noting, however, that magic quotes are deprecated in 5.3.x, so calling get_magic_quotes_gpc() will throw an error of level E_DEPRECATED, although by the nature of those errors, the script will run as normal anyway. 99% of the time, you shouldn't have to worry about magic quotes. Most of the time, the only ones still using them are incredibly old versions, or badly configured ones. And the bulk of the time you'll see stripslashes() used is in dealing with servers configured to have magic quotes turned on.

[carlosm7]

According to Wikipedia, to sanitize is:

Wikipedia said:

the removal of malicious data from user input, such as form submissions

so you are actually not cleaning/sanitizing anything, I think there is still the possibility of, say, a javascript attack. You are just escaping the string for inclusion in an MySQL database, so you can as well replace all calls to the function "clean" with calls to "mysql_real_escape_string" and be done with it (assuming you are either using PHP 5.3.x, or have a way to disable magic quotes on earlier PHP versions).

So, no, this is not a good way to sanitize post values, sanitizing requires much more code than that! (unless using a frame work that implements such functionality, I guess.)

[Dormilich]

carlosm7, on 20 February 2011 - 03:35 AM, said:

sanitizing requires much more code than that!

not really. PHP’s filter functions are designed especially for that.