SnippetsPHPCleaning Variables

Cleaning Variables

Chris Coyier on

Variables that are submitted via web forms always need to be cleaned/sanitized before use in any way, to prevent against all kinds of different malicious intent.

Technique #1

function clean($value) { // If magic quotes not turned on add slashes. if(!get_magic_quotes_gpc()) // Adds the slashes. { $value = addslashes($value); } // Strip any tags from the value. $value = strip_tags($value); // Return the value out of the function. return $value; }
$sample = "<a href='#'>test</a>"; $sample = clean($sample); echo $sample;
Psst! Create a DigitalOcean account and get $200 in free credit for cloud-based hosting and services.

Comments

  1. Magictallguy
    Permalink to comment#

    This is a good start, but it isn’t anywhere near as efficient as it needs to be in today’s PHP usage.
    Look into htmlspecialchars() and/or htmlentities(), stripslashes() and (for database users) mysqli_real_escape_string()

    Example usage:

    function clean($str, $entities = true) { // Strip user-added slashes $str = stripslashes($str); // Optional "overkill" - remove *all* backslashes $str = str_replace('\\', '', $str); // Strip tags $str = strip_tags($str); // If entities = true, make the string XSS safe (to a degree) if($entities == true) $str = htmlspecialchars($str); // Return the string return $str; }

    I’d only recommend using that on output.
    If you’re submitting to a database (like posting a comment, for example), then escape your data!!

    // Assuming you're already connected to the database using procedural mysqli $_POST['user_posted_data'] = mysqli_real_escape_string($conn, $_POST['user_posted_data']; // Then query the database.

    Of course, I’d advocate PDO over mysqli_*() functions, as they automatically escape (for lack of a better description)

    Reply
  2. elamigosam
    Permalink to comment#

    are there any solutions for todays php version?
    thanks

    Reply

Leave a Reply