Does this look right for a decent user input sanitizer

woocha

<?php  

function sanitize($value)  

{    

   if(get_magic_quotes_gpc())     

   {      $value = stripslashes($value);    

    }    else     {      

           $value = $value;    }  

  mysql_real_escape_string($value);   

  return $value;  

}?>

Its something I slapped together....do you guys think it makes good sense as a function?

Ashley_Sheridan

I've put together a useful function for form field validation that uses regular expressions to check fields against certain types. The code is a bit large to chuck on here, so I'll post the link to the page explaining how to use it:

http://ashleysheridan.co.uk/coding_php_validation.php

NogDog

woocha wrote:
Its something I slapped together....do you guys think it makes good sense as a function?

Looks OK to me, other than the indentation is esthetically unpleasing to me. :p

laserlight

There is pretty much no point in assigning $value to $value though, so you can just leave out the else block.

bretticus

Was the mysql_real_escape_string function there the first time around? I don't see you setting $value to the result of that function. I didn't think you could pass a variable to it by reference. Can you?

NogDog

So to consolidate the suggestions, I think it could be condensed down to:

<?php  

function sanitize($value)  

{    

   if(get_magic_quotes_gpc())     

   {
      $value = stripslashes($value);    

   }
   return mysql_real_escape_string($value);   

}
?>

woocha

NogDog;10882522 wrote:
Looks OK to me, other than the indentation is esthetically unpleasing to me. :p

Yeah...I wrote it in notepad and then copied it into the forum

quecoder

<?php  

function sanitize($value)  

{    

   if(get_magic_quotes_gpc())     

   {
      $value = stripslashes($value);    

   }
   return mysql_real_escape_string($value);   

}
?>

what are you trying to do here !!
you strip slashes to just add it again later .. !!!!!!!!

what a logic !

laserlight

what are you trying to do here !

Escape input to be passed to a MySQL database.

you strip slashes to just add it again later .. !

stripslashes() and mysql_real_escape_string() do slightly different things, but enough for it to be problematic to use the former to escape input meant to be passed to a MySQL database.

what a logic !

Recall that mysql_real_escape_string() takes things like the database locale into account.