hi, i would like to come up with a portable function that cleans user input for my database but don't want it to mess with binary data. anyone have ideas on this?
i think i need a function to dectect if the $val is binary or a way to rewrite the $vals i pass to the function. perhaps
clean_input(product='$product', quantity='$quantity', id='$id', description='$description')
or something.
i found a section in the manualy on "Multi-Byte String Functions" but it doesn't seem quite the right thing.
here's what i have so far:
function clean_input($HTTP_POST_VARS) {
reset($HTTP_POST_VARS);
while(list($key, $val) = each($HTTP_POST_VARS))
{
if (is_array($val))
{
for ($i=0; $i < count($val); $i++){
$val[$i] = trim($val[$i]);
$val[$i] = addslashes($val[$i]);
$GLOBALS[$key] = $val[$i];
}
}
else
{
$val = trim($val);
$val = addslashes($val);
$GLOBALS[$key] = $val;
}
}
}
and some useage:
if ($action == "update") {
$sql="UPDATE $inventorytable SET product='$product', quantity='$quantity', id='$id', description='$description', price='$price', category='$category' WHERE id='$id'";
$result=MYSQL_QUERY("$sql")
or die ("\n\n<P><B>Error in our query: </B>\n<TT>$sql</TT></P>\n<P>". mysql_error() ."</P>");
if (($form_data != "none")&&($form_data != ""))
{
$data = addslashes(fread(fopen($form_data, "r"), filesize($form_data)));
$sql="UPDATE $inventorytable SET bin_data='$data' , filename='$form_data_name' , filesize='$form_data_size' , filetype='$form_data_type' WHERE id='$id'";
$result=MYSQL_QUERY("$sql")
or die ("\n\n<P><B>Error in our query: </B>\n<TT>$sql</TT></P>\n<P>". mysql_error() ."</P>");
}
echo "\n<H3>Success. This record has been updated.</H3>\n";
MYSQL_CLOSE();
}
any help would be appreciated!
