Clean user posted data

[CrackFeed.Com]

Ok this is a common function for cleaning user posted data. I have seen many people's code here, and data cleaning seems to not be getting done.

For data being inserted into sql, call this after a mysql connection is opened:

if (!function_exists('clean')) {
	function clean($value) {
		// I clean the string up when my function is called.
		$search = array('javascript:',  
		                'document.location', 
		                'vbscript:', 
		                '?php'); 
		$value = str_replace($search, '_', $value); 
		$value = mysql_real_escape_string(strip_tags(trim($value)));
		return $value;
	}
}
if (!function_exists('vdata')) {
	function vdata($value) {
		if (get_magic_quotes_gpc()) {
			//if the dope has magic quotes on, strip them
			$value = stripslashes($value);
		}
		if (!is_numeric($value) || $value[0] == '0') {
			// now do the cleaning
			$value = clean($value);
		}
		return $value;
	}
}

If not being inserted into mysql:

if (!function_exists('cleanLite')) {
	function cleanLite($value) {
		// I clean the string up when my function is called.
		$search = array('javascript:',  
		                'document.location', 
		                'vbscript:', 
		                '?php'); 
		$value = str_replace($search, '_', $value); 
		$value = htmlspecialchars(strip_tags(trim($value)));
		return $value;
	}
}
if (!function_exists('vdataLite')) {
	function vdataLite($value) {
		if (get_magic_quotes_gpc()) {
			//If the dope has magic quotes on, strip them
                       //Not inserting into sql, but still cleaning the backslashes
			$value = stripslashes($value);
		}
		if (!is_numeric($value) || $value[0] == '0') {
			// now do the cleaning
			$value = cleanLite($value);
		}
		return $value;
	}
}

This has worked for me for a loooooong time. There are many other things you can do, but I wanted to keep this simple. I consider these examples to be the BARE MINIMUM of what you should be using.

To properly call:

$username = vdata($_POST['username']);

// or:

$username = vdataLite($_POST['username']);

Use this on cookies, sessions, get and post.

*As seen in php arcade, I jumped on their butts and told them to start validating data and now they use this too.

Oh btw, to those using it.... addslashes() = worthless. Do NOT trust it.

 

[Eric]

PHP: Filter - Manual

 

[CrackFeed.Com]

Good call, if only half these peeps would read php manuals

 

[~ The 34 Year Buzz!!]

Great advice, I am aware of this and the exact details are helpful, thanks.

 

[CrackFeed.Com]

Anytime!

 

[sourcez]

This is another take on my method, actually quite a lot clearer.

Thanks for the share, will implement myself.

 

[CrackFeed.Com]

This is another take on my method, actually quite a lot clearer.

Thanks for the share, will implement myself.

Feel free to post your method, I haven't seen it.

 

[sourcez]

It was something I'd used since starting PHP which essentially strips out anything except what I've specified - because I like having control over what characters I have in my inputs.

But that does cause problems when users don't get back what they entered so I've been considering updating the libraries for a while, especially as ereg_replace and it's family are now depreciated in the latest PHP versions

 

[Obulus]

This has come in handy. Thanks alot for our extremely useful posts!

 

[CrackFeed.Com]

This has come in handy. Thanks alot for our extremely useful posts!

Thanks everyone, very kind I am glad to help!

Yeah I am sad to see ereg go, but oh well

 

[sourcez]

I'd be interested to hear your take on this, how would you sanitize a password before entry into a database?

On a basic database I then only md5 the passwords after cleaning strings but seeing as users are beginning to use symbols...

 

[CrackFeed.Com]

If you are simply MD5()ing the password then inserting into the database, then that is all the sanitation that you need. if you plan to display the password or email it to the user, then I would run it through htmlentities().

$pass = $_POST['password'];
$MD5pass = md5($pass);
$Legiblepass = htmlentities($pass, ENT_QUOTES);

// insert $MD5pass into database here

echo $Legiblepass;

something like that.

 

[sourcez]

Cool, that's what I had. Thanks for the reply - have restored my faith in md5

 

[CrackFeed.Com]

anytime