Sanitize variables

W9FZ

Hi there:

I inherited some code that I'm improving. The original author called a function to validate entries from a form.

The validation checks that "all" the blanks are filled, makes sure the email address is in a recognizable email addy form, checks several entries that need to be numeric to be so, picks a proper registration fee to show based on 3 cut-off dates, and checks whether the registrant has already registered once by quickly scanning the database (by a sub-function call). After the validation function returns, then the input is made to the database.

Unfortunately, this old code used Register_Globals "on".

First, a digression--what are your thoughts on the following snippet to give me local variables from the POST??

foreach($_POST as $key=>$value){
    $$key = $value;
}

Now back to variable sanitization:
Then I"ve searched the entire forum for "sanitize variables" and have had interesting reading. Brad, and several of you had good feedback. I found one thread where a gent had a snippet that I thought looked efficient. There wasn't any specific critique of his snippit:

if(get_magic_quotes_gpc()) { 
   $username = stripslashes($_POST['username']); 
   $password = stripslashes($_POST['password']); 
} else { 
   $username = $_POST['username']; 
   $password = $_POST['password']; 
} 

function CleanArray($array) { 
   foreach ($array as $key => $value) { 
   $array[$key] = mysql_real_escape_string($value);   

   } 
   return $array; 
} 

$_POST = CleanArray($_POST);

I'm actually not using username and password but would stripslasshes be good for name and address string entries?

Lastly, the validation function previously was fed the POST array. Now I will feed it another array after sanitization. Or, what about moving sanitizing to within the validation function as another step? Thoughts?

Any other things to consider about sanitizing user input from a form? Should I make sure I use sprintf?

THanks
Bruce Richardson

bpat1434

Putting $POST stuff into local variables is fine. You just have to be careful that the keys in the $POST array won't collide with already defined variables. You run the risk of overwriting variables, as well as using them without sanitizing them first.

When I deal with form input, I usually create a "sanitize" function to be used with each individual variable. Something like:

function sanitize($key, $type='string', $array='_POST')
{
    if(!isset($$array[$key]))
        return false;

switch($type)
{
    case 'str':
    case 'string':
    default:
        if(get_magic_quotes_gpc())
            $$array[$key] = stripslashes($$array[$key]);
        break;

    case 'int':
    case 'integer':
        $$array[$key] = intval($$array[$key]);
        break;

    case 'bool':
    case 'boolean':
        $$array[$key] = (bool) $$array[$key];
        break;
}
}

Now, you should always escape strings going into your SQL queries; however, [man]mysql_real_escape_string/man is not always the best string sanitization function. Many times what you need to do is use a regular expression to make sure that specific fields fit what you expect (i.e. username fields having only letters & numbers, addresses using specific punctuation, etc.).

The "stripslashes" function will only take "\" and make them "\" in the case of magic quotes GPC being on. If it's off, then you might run into some issues when users want to have a backslash in their string and it gets stripped. You shouldn't rely solely on this function to sanitize your strings. You really should only accept things that you expect, not just anything.