cleaning $_POST variables [duplicate]

Question

I'm trying to come up with a way to effectively easily clean all POST and GET variables with a single function. Here's the function itself:

//clean the user's input
function cleanInput($value, $link = '')
{
    //if the variable is an array, recurse into it
    if(is_array($value))
    {
        //for each element in the array...
        foreach($value as $key => $val)
        {
            //...clean the content of each variable in the array
            $value[$key] = cleanInput($val);
        }

        //return clean array
        return $value;
    }
    else
    {
        return mysql_real_escape_string(strip_tags(trim($value)), $link);
    }
}

And here's the code that would call it:

//This stops SQL Injection in POST vars
foreach ($_POST as $key => $value)
{
    $_POST[$key] = cleanInput($value, $link);
}

//This stops SQL Injection in GET vars
foreach ($_GET as $key => $value)
{
    $_GET[$key] = cleanInput($value, $link);
}

To me this seems like it should work. But for some reason it won't return arrays from some checkboxes I have in a form. They keep coming out blank.

I've tested my code without the above function and it works fine, I just want that added bit of security in there.

Thanks!

Answer 1

to make the recursion more elegant you could use something like array_map for example:

$_POST = array_map('mysql_real_escape_string',$_POST);

Use filter var if you can though as these kind of approaches are generally bad, just an example though ;)

Answer 2

Use filter_input if possible (php5 +) It keeps it a lot cleaner and as far as im aware you can sanitise and validate everything you could need using it.

You can use filter var array and for example FILTER_SANITIZE_STRING flag to filter the whole post array

filter_var_array($_POST, FILTER_SANITIZE_STRING) //just an example filter

There are loads of different filter options available on the w3schools filter reference

Answer 3

What you're doing isn't enough. See here.