I'm trying to come up with a way to effectively easily clean all POST and GET variables with a single function. Here's the function itself:
//clean the user's input
function cleanInput($value, $link = '')
{
//if the variable is an array, recurse into it
if(is_array($value))
{
//for each element in the array...
foreach($value as $key => $val)
{
//...clean the content of each variable in the array
$value[$key] = cleanInput($val);
}
//return clean array
return $value;
}
else
{
return mysql_real_escape_string(strip_tags(trim($value)), $link);
}
}
And here's the code that would call it:
//This stops SQL Injection in POST vars
foreach ($_POST as $key => $value)
{
$_POST[$key] = cleanInput($value, $link);
}
//This stops SQL Injection in GET vars
foreach ($_GET as $key => $value)
{
$_GET[$key] = cleanInput($value, $link);
}
To me this seems like it should work. But for some reason it won't return arrays from some checkboxes I have in a form. They keep coming out blank.
I've tested my code without the above function and it works fine, I just want that added bit of security in there.
Thanks!
to make the recursion more elegant you could use something like array_map for example:
$_POST = array_map('mysql_real_escape_string',$_POST);
Use filter var if you can though as these kind of approaches are generally bad, just an example though ;)
Use filter_input if possible (php5 +) It keeps it a lot cleaner and as far as im aware you can sanitise and validate everything you could need using it.
You can use filter var array and for example FILTER_SANITIZE_STRING flag to filter the whole post array
filter_var_array($_POST, FILTER_SANITIZE_STRING) //just an example filter
There are loads of different filter options available on the w3schools filter reference
What you're doing isn't enough. See here.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With