Am I going overkill on data sanitation?

schwim

Hi there guys,

Over the course of my visits and questions here, I've gotten into a particular habit when formatting my form submissions:

$variable = strip_tags (mysql_real_escape_string (strip_mq_gpc (substr ($_POST['variable'], 0, 100))));

(strip_mq_gpc is a custom function that combats magic quotes)

I do this for absolutely every variable, regardless of whether it's a radio button, check box, text box or text area. My thinking is that someone might find a way to submit a value in a different way than I intended.

Am I taking it too far? is the fact that I'm setting the value of $variable to $_POST['variable'] enough to protect the radio buttons and checkboxes?

Any insight would be greatly appreciated.

thanks,
json

Weedpacket

If the checkbox is checked, it will be part of the form submission. If it's not checked it won't. All you need to do for checkboxes therefore is check to see that they are set (which you don't do above, unless you're testing isset($_POST['variable']) somewhere else).

Radio buttons and selects; generally you know what values they could take; verify that the submitted value is one of those values. Avoid characters in values that might need escaping. Choose values that are easy to validate.

Numeric input: is_numeric() is a reasonable first approximation (but only an approximation, depending on expected format, it may return false positives).

MrSteve

Hi Schwim

I've tried to send you a PM but it says I don't have the privilege to do that.

Could you please post your strip_mq_gpc function? I'm interested in incorporating something like that into my website.

Thank you!

schwim

Hi there MrSteve,

Here you go:

function strip_mq_gpc($arg) {
  if (get_magic_quotes_gpc()) {
    return stripslashes($arg);
  } else {
    return $arg;
  }
}

Hope this helps you.

thanks,
json

schwim

Thanks very much for your reply weedpacket.

I'm checking that they're set above the formatting stage.

Can I ask what you think the best way to check that the value is either "optiona" or "optionb" for the radio buttons is?

thanks,
json

Weedpacket

It can be done more simply than this if there are only two options; but this scales better:

$allowed_options_for_foo = array('optiona', 'optionb');

if(in_array($_POST['foo'], $allowed_options_for_foo)
{
// $_POST['foo'] has a valid value.
}