...

View Full Version : is this filtering secure ??



PHPycho
01-03-2008, 06:48 AM
Hello forums !!
I would like to know if i am doing right for security purposes or not.
For any user submitted datas ($_POST & $_GET) I used to perform as

$_POST = filter_input($_POST);
// $_GET = filter_input($_GET);
// then after use that submitted data for queries as
$sql = "INSERT INTO `table_name` (field1, field2) VALUES('".$_POST['field1']."', "'.$_POST['field2'].'")";

// filter_input function
function filter_input(){
if(is_array($arg)){
foreach($arg as $key => $value){
if(is_array($value)){
for($i = 0; $i < count($value); $i++){
$arg[$key][$i] = mysql_real_escape_string(htmlentities(trim($value[$i]), ENT_QUOTES,'UTF-8'));
}
}else{
$arg[$key] = mysql_real_escape_string(htmlentities(trim($value), ENT_QUOTES,'UTF-8'));
}
}
return $arg;
}elseif(is_string($arg)){
$arg = mysql_real_escape_string(htmlentities(trim($arg),ENT_QUOTES,'UTF-8'));
return $arg;
}else{
return $arg;
}
}

My Questions?
- is this secure filter or not ?

Thanks in advance for your valuable suggestions.

bcarl314
01-05-2008, 05:48 AM
Personally, I use a function that I call "check_data" for any input. It takes 2 arguments, the text to "clean" and the validation to run.



function check_data($t,$v) {
switch($v) {
case "text":
if(preg_match("/\W/",$t)) {
return false;
}
else {
return true;
}
break;
.
.
.
}
}


It has all sorts of validation "cases" for anything from numbers, to text, phone, zips, email, web addresses, etc. I just run all my data through this function to check it before running a query, or passing the data to another app (file system call, etc).



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum