Safe from hacking: filtering variables

notset

Hello,

below are my functions, which i use to filter the variables

function quote_smart($value) {
   if (get_magic_quotes_gpc()) $value = stripslashes($value);
   if (!is_numeric($value)) $value = mysql_real_escape_string($value);
   return $value;
}
function cleanUp($data) {
  $data = trim(strip_tags(htmlentities($data, ENT_QUOTES)));
  return $data;
}
function parse_post($post) {
  $result = array();
  if (is_array($post)) {
    foreach($post as $cnt => $value) $result[$cnt] = quote_smart(cleanUp($value));
  }
  return $result;
}

and the example of using

$safe = parse_post($_POST);
mysql_query("INSERT INTO users SET name='".$safe['name']."'");

it's enough to be protected from sql injections and others hackers attacks via variables?

Oersoep

The functions themselves are certainly handy, though you might want to stick them into a class. The function names are not really coherent, so you might want to make it a bit more portable.

I think you should clean things up at every point data goes in/out.

What you're doing now is assume that the only thing that'll be done to the data is insertion into a database.
What if you want to render it into a page? Or into a plain txt file? Or into a textarea?

You should wait with doing mysql specific mutations until you're sure you're going to stick in into the database.

try this:

(You might want to make your functions array-proof, so you can throw in one value as well as an array)

<?php

class safe_io{

   function from_request( &$data ){

   /* remove backslashes if some annoying 
       antique nosy ini setting has put them in...
       I made only this one by reference, cause 
       you shouldn't want to do anything with 
       the input if they MAY contain abundant backslashes
   */

   }

   function to_form( $data ){

   /*
      Make sure you don't $&^% up the form
      so use some htmlentities for ' and/or "
      &apos; for ' doesn't work in all browsers.
   */

   return $data;

   }


   function to_textarea( $data ){

   /*
      Not much action needed. It'll all work, except for </textarea>.
      Be creative on this one.
   */

   return $data ;

   }

   function to_db( $data ){

   /*
       The regular. Just slap in some backslashes.
  */

   return $data ;

   }

   function to_html( $data ){

   /*
       htmlspecialchars() or even htmlentities()
  */

  return $data ;

}
}

// usage:

safe_io::from_request( $_POST );

echo print_r( safe_io::to_html( $_POST ), true );

$ar_assoc_insert = safe_io::to_db( $_POST );
// 1) clean out values that aren't legal
// 2) smash the array into an insert query

?>

MarkR

No, they are hopeless.

What makes you think that everything you insert into your DB, you want to strip html tags out and convert html entities everywhere?

You do realise, that doing this repeatedly will lead to &amp;amp;amp;amp;amp;amp; all over the place and generally bugger up your data?

What happens if you subsequently want to use that database field in a non-HTML context?

You should store in the database, the exact strings that the user typed (most of the time), and then escape them for insertion into HTML (or something else) as necessary.

Trimming and sanitising every string going into the DB, is going to leave a lot of users very annoyed when their data become mangled.

Mark

laserlight

it's enough to be protected from sql injections and others hackers attacks via variables?

Actually, I suggest that you look to using prepared statements, say with the mysqli extension or PDO extension.