Clean user posted data

CrackFeed.Com · 03-28-2010, 06:15 AM

Ok this is a common function for cleaning user posted data. I have seen many people's code here, and data cleaning seems to not be getting done.

For data being inserted into sql, call this after a mysql connection is opened:

PHP Code:

  if (!function_exists('clean')) {
    function clean($value) {
        // I clean the string up when my function is called.
        $search = array('javascript:',  
                        'document.location', 
                        'vbscript:', 
                        '?php'); 
        $value = str_replace($search, '_', $value); 
        $value = mysql_real_escape_string(strip_tags(trim($value)));
        return $value;
    }
}
if (!function_exists('vdata')) {
    function vdata($value) {
        if (get_magic_quotes_gpc()) {
            //if the dope has magic quotes on, strip them
            $value = stripslashes($value);
        }
        if (!is_numeric($value) || $value[0] == '0') {
            // now do the cleaning
            $value = clean($value);
        }
        return $value;
    }
}

If not being inserted into mysql:

PHP Code:

  if (!function_exists('cleanLite')) {
????: NamePros.com http://www.namepros.com/code/647375-clean-user-posted-data.html
    function cleanLite($value) {
        // I clean the string up when my function is called.
        $search = array('javascript:',  
                        'document.location', 
                        'vbscript:', 
                        '?php'); 
        $value = str_replace($search, '_', $value); 
        $value = htmlspecialchars(strip_tags(trim($value)));
        return $value;
    }
}
if (!function_exists('vdataLite')) {
    function vdataLite($value) {
        if (get_magic_quotes_gpc()) {
            //If the dope has magic quotes on, strip them
                       //Not inserting into sql, but still cleaning the backslashes
????: NamePros.com http://www.namepros.com/showthread.php?t=647375
            $value = stripslashes($value);
        }
        if (!is_numeric($value) || $value[0] == '0') {
            // now do the cleaning
            $value = cleanLite($value);
        }
        return $value;
    }
}

This has worked for me for a loooooong time. There are many other things you can do, but I wanted to keep this simple. I consider these examples to be the BARE MINIMUM of what you should be using.

To properly call:

PHP Code:

  $username = vdata($_POST['username']);

// or:

$username = vdataLite($_POST['username']);

Use this on cookies, sessions, get and post.

*As seen in php arcade, I jumped on their butts and told them to start validating data and now they use this too.

Oh btw, to those using it.... addslashes() = worthless. Do NOT trust it.

**Eric** · 03-28-2010, 01:06 PM

PHP: Filter - Manual

CrackFeed.Com · 03-28-2010, 01:41 PM

Good call, if only half these peeps would read php manuals

~ The 34 Year Buzz!! · 03-28-2010, 04:17 PM

Great advice, I am aware of this and the exact details are helpful, thanks.

CrackFeed.Com · 03-28-2010, 04:59 PM

Anytime!

sourcez · 04-06-2010, 09:22 AM

This is another take on my method, actually quite a lot clearer.

Thanks for the share, will implement myself.

CrackFeed.Com · 04-06-2010, 09:26 AM

Originally Posted by sourcez

This is another take on my method, actually quite a lot clearer.

Thanks for the share, will implement myself.

Feel free to post your method, I haven't seen it.

sourcez · 04-06-2010, 09:30 AM

It was something I'd used since starting PHP which essentially strips out anything except what I've specified - because I like having control over what characters I have in my inputs.

But that does cause problems when users don't get back what they entered so I've been considering updating the libraries for a while, especially as ereg_replace and it's family are now depreciated in the latest PHP versions

Obulus · 04-06-2010, 09:34 AM

This has come in handy. Thanks alot for our extremely useful posts!

CrackFeed.Com · 04-06-2010, 09:54 AM

Originally Posted by Obulus

This has come in handy. Thanks alot for our extremely useful posts!

Thanks everyone, very kind

I am glad to help!
????: NamePros.com http://www.namepros.com/showthread.php?t=647375

Yeah I am sad to see ereg go, but oh well

sourcez · 04-06-2010, 10:55 AM

I'd be interested to hear your take on this, how would you sanitize a password before entry into a database?

On a basic database I then only md5 the passwords after cleaning strings but seeing as users are beginning to use symbols...

CrackFeed.Com · 04-06-2010, 11:04 AM

If you are simply MD5()ing the password then inserting into the database, then that is all the sanitation that you need. if you plan to display the password or email it to the user, then I would run it through htmlentities().
????: NamePros.com http://www.namepros.com/showthread.php?t=647375

PHP Code:

  $pass = $_POST['password'];
$MD5pass = md5($pass);
$Legiblepass = htmlentities($pass, ENT_QUOTES);

// insert $MD5pass into database here

echo $Legiblepass;

something like that.

sourcez · 04-06-2010, 11:10 AM

Cool, that's what I had. Thanks for the reply - have restored my faith in md5

CrackFeed.Com · 04-06-2010, 11:11 AM

anytime

03-28-2010, 06:15 AM	THREAD STARTER #1 (permalink)
CrackFeed.Com Account Suspended Join Date: Dec 2008 Location: Boston, Ma Posts: 650 Follow @CrackFeed	Clean user posted data Ok this is a common function for cleaning user posted data. I have seen many people's code here, and data cleaning seems to not be getting done. For data being inserted into sql, call this after a mysql connection is opened: PHP Code: if (!function_exists('clean')) { function clean($value) { // I clean the string up when my function is called. $search = array('javascript:', 'document.location', 'vbscript:', '?php'); $value = str_replace($search, '_', $value); $value = mysql_real_escape_string(strip_tags(trim($value))); return $value; } } if (!function_exists('vdata')) { function vdata($value) { if (get_magic_quotes_gpc()) { //if the dope has magic quotes on, strip them $value = stripslashes($value); } if (!is_numeric($value) \|\| $value[0] == '0') { // now do the cleaning $value = clean($value); } return $value; } } If not being inserted into mysql: PHP Code: if (!function_exists('cleanLite')) { ????: NamePros.com http://www.namepros.com/code/647375-clean-user-posted-data.html function cleanLite($value) { // I clean the string up when my function is called. $search = array('javascript:', 'document.location', 'vbscript:', '?php'); $value = str_replace($search, '_', $value); $value = htmlspecialchars(strip_tags(trim($value))); return $value; } } if (!function_exists('vdataLite')) { function vdataLite($value) { if (get_magic_quotes_gpc()) { //If the dope has magic quotes on, strip them //Not inserting into sql, but still cleaning the backslashes ????: NamePros.com http://www.namepros.com/showthread.php?t=647375 $value = stripslashes($value); } if (!is_numeric($value) \|\| $value[0] == '0') { // now do the cleaning $value = cleanLite($value); } return $value; } } This has worked for me for a loooooong time. There are many other things you can do, but I wanted to keep this simple. I consider these examples to be the BARE MINIMUM of what you should be using. To properly call: PHP Code: `$username = vdata($_POST['username']); // or: $username = vdataLite($_POST['username']);` Use this on cookies, sessions, get and post. As seen in php arcade, I jumped on their butts and told them to start validating data and now they use this too. Oh btw, to those using it.... addslashes() = worthless. Do NOT trust it. Last edited by CrackFeed.Com; 03-28-2010 at 06:21 AM.*

03-28-2010, 04:17 PM	#4 (permalink)
~ The 34 Year Buzz!! NamePros Regular Join Date: Aug 2006 Location: Cyberspace Posts: 648	Great advice, I am aware of this and the exact details are helpful, thanks. __________________ Are You Happy Today! :o)

04-06-2010, 09:22 AM	#6 (permalink)
sourcez NamePros Regular Join Date: Nov 2007 Location: UK Posts: 403	This is another take on my method, actually quite a lot clearer. Thanks for the share, will implement myself. __________________ 3cc Internet

04-06-2010, 09:30 AM	#8 (permalink)
sourcez NamePros Regular Join Date: Nov 2007 Location: UK Posts: 403	It was something I'd used since starting PHP which essentially strips out anything except what I've specified - because I like having control over what characters I have in my inputs. But that does cause problems when users don't get back what they entered so I've been considering updating the libraries for a while, especially as ereg_replace and it's family are now depreciated in the latest PHP versions __________________ 3cc Internet

04-06-2010, 09:34 AM	#9 (permalink)
Obulus NamePros Regular Join Date: Aug 2009 Posts: 313	This has come in handy. Thanks alot for our extremely useful posts! __________________ Available for hire.

03-28-2010, 01:06 PM	#2 (permalink)
Eric Tech Support Join Date: Mar 2005 Posts: 4,944	PHP: Filter - Manual

03-28-2010, 01:41 PM	THREAD STARTER #3 (permalink)
CrackFeed.Com Account Suspended Join Date: Dec 2008 Location: Boston, Ma Posts: 650 Follow @CrackFeed	Good call, if only half these peeps would read php manuals

03-28-2010, 04:59 PM	THREAD STARTER #5 (permalink)
CrackFeed.Com Account Suspended Join Date: Dec 2008 Location: Boston, Ma Posts: 650 Follow @CrackFeed	Anytime!

04-06-2010, 10:55 AM	#11 (permalink)
sourcez NamePros Regular Join Date: Nov 2007 Location: UK Posts: 403	I'd be interested to hear your take on this, how would you sanitize a password before entry into a database? On a basic database I then only md5 the passwords after cleaning strings but seeing as users are beginning to use symbols... __________________ 3cc Internet

04-06-2010, 11:04 AM	THREAD STARTER #12 (permalink)
CrackFeed.Com Account Suspended Join Date: Dec 2008 Location: Boston, Ma Posts: 650 Follow @CrackFeed	If you are simply MD5()ing the password then inserting into the database, then that is all the sanitation that you need. if you plan to display the password or email it to the user, then I would run it through htmlentities(). ????: NamePros.com http://www.namepros.com/showthread.php?t=647375 PHP Code: `$pass = $_POST['password']; $MD5pass = md5($pass); $Legiblepass = htmlentities($pass, ENT_QUOTES); // insert $MD5pass into database here echo $Legiblepass;` something like that. Last edited by CrackFeed.Com; 04-06-2010 at 11:10 AM.

04-06-2010, 11:10 AM	#13 (permalink)
sourcez NamePros Regular Join Date: Nov 2007 Location: UK Posts: 403	Cool, that's what I had. Thanks for the reply - have restored my faith in md5 __________________ 3cc Internet

04-06-2010, 11:11 AM	THREAD STARTER #14 (permalink)
CrackFeed.Com Account Suspended Join Date: Dec 2008 Location: Boston, Ma Posts: 650 Follow @CrackFeed	anytime

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)