concerning security

mp3lab

concerning security
I have function

function check($x=null) {
  if(!isset($x)) return null;
  else if(is_string($x)) return mysql_real_escape_string($x);
  else if(is_array($x)) {
    foreach($x as $k=>$v) {
      $k2=mysql_real_escape_string($k);
      if($k!=$k2) unset($x[$k]);
      $x[$k2]=check($v);
    }
    return $x;
  }
}

and prior to this query I have

$_GET=check($_GET)

Can I "cleanse" input on this way?

bradgrafelman

Definitely not. Here's why: There is no one-size-fits-all function that can automatically sanitize all data without any negative side effects (and/or without missing some things).

Thus, rather than trying to invent something that probably isn't even feasible, either a) sanitize each given input as appropriate (e.g. numeric data shouldn't be treated the same as string data), or b) consider using prepared statements instead.

EDIT: Also forgot to mention that the array part of the function makes no sense at all and will remove valid data rather than attempting to sanitize it.

Weedpacket

Moved this to its own thread, because it wasn't directly related to the thread where it was originally posted.

bradgrafelman wrote:
EDIT: Also forgot to mention that the array part of the function makes no sense at all and will remove valid data rather than attempting to sanitize it.

Actually, what it's doing is applying mysql_real_escape_string() to the array keys. Why it's doing that is another matter.

traq

hmm... let me try to follow this

[font=monospace]$k2=mysql_real_escape_string($k);[/font]
escaped version of the array key.

[font=monospace]if($k!=$k2) unset($x[$k]);[/font]
compares escaped key to original key; unsets original array index if they don't match.

[font=monospace]$x[$k2]=check($v); [/font]
then recurses on the value and sets a new item in the array using the escaped key and value.

if the original key and the escaped key were equal (i.e.: the key didn't need to be escaped), then we've got the same index again ($k == $k2) with an escaped (possibly different) value.

if the original key did need to be escaped, then the (original|escaped)value is now stored under a new key - meaning the script probably won't be able to find it.

right?

SO...
I'm with Weedpacket on the "why?" issue.