Sanitizer code - efficient?

PHP
1

Hi guys,

Can someone please tell me if this code I am suing to sanitize submitted form data is efficient and or outdated?

function cleaner($data)
    {
        if(is_array($data))
        {
            $ret = array();
            foreach($data as $key=>$value)
            {
                $ret[$key] = cleaner($value);
            }
            return $ret;
        }
        else
        {
            if(!is_numeric($data))
            {
                if(get_magic_quotes_gpc())
                {
                    $data = stripslashes($data);
                }
                $data = mysql_real_escape_string($data);
            }
            return $data;
        }
    }



// declare the variables and clean
	$name = $clean['name'];
	$email_address = $clean['from'];

Also is there another way of declaring / cleaning the submitted varaibles instead of having to type out each form field like above to clean it?

It would be greate to to be able to access the name variable ‘$name’ without having to type out that full declaration / cleaning code (considering my form might have 20 fields) :wink:

Any help woould be greatly appreciated :slight_smile:

2

Hello,

I like to use the filter extension that comes with PHP and a prepared statement at the query level. Here’s a simple example of a few filters and sanitizers I’ve used. I’m sure there’s a more dynamic way to set theses up, but this worked for my situtation…

function readForm($_POST) {
		$yearOptions  = array("options"=>array("min_range"=>1910, "max_range"=>date(Y)));
		$postData = array ('year'  => filter_input($_POST['year'], FILTER_VALIDATE_INT, $yearOptions),
					   'make'  => filter_input($_POST['make'], FILTER_SANITIZE_STRING),
					   'model' => filter_input($_POST['model'], FILTER_SANITIZE_STRING),
					   'color' => filter_input($_POST['color'], FILTER_SANITIZE_STRING),
					   'price' => filter_input($_POST['price'], FILTER_SANITIZE_FLOAT, FILTER_FLAG_ALLOW_THOUSAND)
					  );
		return $postData;
	}
	
function readQuery($_GET) {
		$yearOptions  = array("options"=>array("min_range"=>1910, "max_range"=>date(Y)));
		$getData = array ('year'  => filter_input($_GET['year'], FILTER_VALIDATE_INT, $yearOptions),
					   'make'  => filter_input($_GET['make'], FILTER_SANITIZE_STRING),
					   'model' => filter_input($_GET['model'], FILTER_SANITIZE_STRING),
					   'color' => filter_input($_GET['color'], FILTER_SANITIZE_STRING),
					   'price' => filter_input($_GET['price'], FILTER_SANITIZE_FLOAT, FILTER_FLAG_ALLOW_THOUSAND)
					  );
		return $getData;
	}

After using the functions above the variables are accessed like an element of any other array $getData[‘make’] or $postData[‘make’].

3

You’re more or less escaping rather than “cleaning.” I would recommend doing the escaping while performing the query because it offers a number of advantages. For one, you don’t have to type all the fields out manually beforehand, second, you can’t accidentally pass the non-escaped version (if you do it right), and third, less variables to keep around in your head.

Of course, doing it right is key. The idea is to make it difficult to make an error. You have two main options off the top of my head: Use “prepared statements”:

$stmt = $someSQLLibrary->newQuery("SELECT * FROM users WHERE username = ?");
$stmt->execute(array($username));

…or create a function that takes format specifiers and automatically escapes:

queryf("SELECT * FROM users WHERE username = %s", $username))

PDO does prepared statements, but [url=http://php.net/mysqli]mysqli does too (if you are using MySQL).

Here’s a function I wrote a while ago to do that formatting query:
http://php.net/manual/en/function.mysql-query.php#81188