Help with XSS/Security/Laziness code

WebLady

I am still relatively new to PHP, and I'm trying to see if I can do some of the same sort of things in PHP that I can do in ColdFusion.

I want to filter all incoming data before I do anything with it. So I have included this bit of code at the top of the script:

// make all passed parameters local
foreach ($_REQUEST as $key => $val) {
	$$key = trim(htmlentities(strip_tags($val) , ENT_QUOTES));
}

My question is: Is there a better way to filter incoming data? Should I be filtering out anything else? Is this a bad way to do it? Why?

Thanks!

vaaaska

There's nothing really wrong with what you are doing but perhaps you are doing a little too much all at once...one thing you haven't done is deal with magic quotes (slashes)...

http://be.php.net/manual/en/function.get-magic-quotes-gpc.php

instead of using a foreach there you could use array_map (but it's basically the same thing - just a little more smooth)...

http://www.php.net/array_map/

Filtering data all depends upon what you plan to do with it...you could use regular expressions to deal with many problems as well...

And then, since we're on the subject, you'll want to deal with getting your data into your table safely as well...this is a place to start...

http://be.php.net/manual/en/function.mysql-real-escape-string.php

and here is a little thing about security that sort of wraps some of these together...

http://be.php.net/manual/en/security.php

WebLady

Thanks vaaaska, that info helped.