3 Replies - 3933 Views - Last Post: 20 February 2011 - 01:58 AM Rate Topic: -----

#1 itdoell  Icon User is offline

  • D.I.C Head

Reputation: 8
  • View blog
  • Posts: 239
  • Joined: 13-January 11

Is this a good way to sanitize post values?

Posted 19 February 2011 - 05:47 PM

I downloaded a login script but I feel like it may be a little bit outdated, so I was wondering if this is a good way to sanitize post values or if there's a better way I should be doing it. I've already made a lot of heavy modifications to the script but I'm unsure about how I should be performing sanitation since my PHP skills are pretty lacking. Any help is appreciated, thank you.

	//Function to sanitize values received from the form. Prevents SQL injection
	function clean($str) {
		$str = @trim($str);
		if(get_magic_quotes_gpc()) {
			$str = stripslashes($str);
		}
		return mysql_real_escape_string($str);
	}
	
	//Sanitize the POST values
	$fname = clean($_POST['fname']);
	$lname = clean($_POST['lname']);
	$login = clean($_POST['login']);
	$password = clean($_POST['password']);
	$cpassword = clean($_POST['cpassword']);


Is This A Good Question/Topic? 0
  • +

Replies To: Is this a good way to sanitize post values?

#2 Valek  Icon User is offline

  • The Real Skynet
  • member icon

Reputation: 542
  • View blog
  • Posts: 1,713
  • Joined: 08-November 08

Re: Is this a good way to sanitize post values?

Posted 19 February 2011 - 06:03 PM

Best way to do it is to use prepared statements, of course, because then all the hard stuff is done for you. All you have to do is build the query and bind the parameters, and watch it go.

It's worth noting, however, that magic quotes are deprecated in 5.3.x, so calling get_magic_quotes_gpc() will throw an error of level E_DEPRECATED, although by the nature of those errors, the script will run as normal anyway. 99% of the time, you shouldn't have to worry about magic quotes. Most of the time, the only ones still using them are incredibly old versions, or badly configured ones. And the bulk of the time you'll see stripslashes() used is in dealing with servers configured to have magic quotes turned on.
Was This Post Helpful? 3
  • +
  • -

#3 carlosm7  Icon User is offline

  • New D.I.C Head

Reputation: 2
  • View blog
  • Posts: 16
  • Joined: 22-April 10

Re: Is this a good way to sanitize post values?

Posted 19 February 2011 - 07:35 PM

According to Wikipedia, to sanitize is:

Wikipedia said:

the removal of malicious data from user input, such as form submissions


so you are actually not cleaning/sanitizing anything, I think there is still the possibility of, say, a javascript attack. You are just escaping the string for inclusion in an MySQL database, so you can as well replace all calls to the function "clean" with calls to "mysql_real_escape_string" and be done with it (assuming you are either using PHP 5.3.x, or have a way to disable magic quotes on earlier PHP versions).

So, no, this is not a good way to sanitize post values, sanitizing requires much more code than that! (unless using a frame work that implements such functionality, I guess.)
Was This Post Helpful? 2
  • +
  • -

#4 Dormilich  Icon User is online

  • 痛覚残留
  • member icon

Reputation: 3517
  • View blog
  • Posts: 10,149
  • Joined: 08-June 10

Re: Is this a good way to sanitize post values?

Posted 20 February 2011 - 01:58 AM

View Postcarlosm7, on 20 February 2011 - 03:35 AM, said:

sanitizing requires much more code than that!

not really. PHP’s filter functions are designed especially for that.
Was This Post Helpful? 1
  • +
  • -

Page 1 of 1