Is it a good idea to want to write a function that can escape any type of input passed into it? I understand that various PHP-native functions exist that do things like this, such as addslashes(), htmlentities(), and strip_tags(), but I was thinking (possibly, naively) that having a single function that was given an input item (i.e.- file or variable) that would escape everything it contained and return it.
Is this silly? I find it hard to believe that something like this hasn’t been done before, but ironically, I’m having a hard time finding one like the one I envision that can accept anything from a string, file, or array and return the fully-escaped data for use.
Anyone know of a script or function that does this?
The problem there is that escaping can be very different depending on what you’re escaping it for.
For example, escaping it for database input could involve mysql_real_escape_string(), for example. Escaping it for output to the browser may involve htmlentities and strip_tags, and escaping it from jail would involve a crowbar. (Please excuse (Or escape, if you will) that comment, my sense of humour is terrible at this time of night :p)
I suppose the first stage of making something like this, in that case, is with a class. Allow it to accept a string variable and include different functions for different kinds of escaping. Then extend that class to accept different types of variables.
Then you can simply write a function that will route the given variable to the correct object and run the correct method to return the data you want.
I don’t understand benefits of having a function like this. Different types of situations require different escaping and usually escaping at different levels.
For example, if you are using MVC, you would usually escape database variables in models, you would escape view variables in templates and you would probably escape some other variables in controllers. So you would have to access this function at three different levels of applications which would usually lead to having three exactly the same helpers.
How would you escape inputs, for instance? Not all inputs need escaping (majority don’t) and those that do might need different ways of escaping.
Outputs would be htmlentities(), database mysql_real_escape_string(), that’s clear but inputs?
I think I made a mental mistake of not only using the word “escape” but also relating it to something a bit different. To me, at least when I posted this, it seemed logical to think that the word “escape” meant to “make safe”. In this light, the input would be made safe at the form and so on while the data going into the database and coming out for output would be made safe using those functions I / you referenced (such as the htmlentities, mysql_real… and so on. Again, I’m probably being narrow-minded here, but it’s what it is.
I guess I was just hoping for 1 single function that could do all this escaping / sanitization / filtering for me and deep down, I was hoping it was possible that I could make it but as usual, it seems my ideas got the best of moi’.
alexp91k your’s wrong way
you shouldn’t use addslashes for mysql and there must be no magic quotes stuff in this function
Washing hands, using condoms and keeping your wallet deep in the pocket is all for safety. Does hardly washed wallet wrapped in condom and put into inner pocket make you safe for anything?
That’s your “universal” function
And as for the magic_quotes, it simply removes them if they were put on.
It should be removed far before. There can be no Mysql actions at all. But magic quotes must be removed anyway.
Database quoting function should not take into account magic quotes. Because there can be no magic quotes affected data, e.g. you’re reading data from the file. So, this function can strip wrong slashes.
Of course, this function is purely for form input
That’s one of most terrible misbeliefs.
It shouldn’t be for the form input by any means. Mysql functions should be used for mysql only.
That analogy makes absolutely no sense. Your wallet will still be safe. The analogy also is completely irrelevant.
As an extreme case, base64 encoding a character sequence will make it safe for the majority of systems that you may come across. It would be that holy grail of a make-safe algorithm that you are looking for.
hehe, I would had to develop more relevant analogy, to satisfy such a through investigation, my bad
Your ideal escape algorithm reminds me ideal compressing algorithm - MD5
Unfortunately, you cannot unescape strip_tags, especially if these tags designated to format your own article posted to the site.
You’re good with theoretical matters but what’s your practical recommendation?