...

View Full Version : Resolved clean input question



durangod
09-05-2011, 02:26 PM
I think i finally got this licked but i wanted to check with you all first.

here is what i did to clean my input and make sure every time that i have a valid db connection. I am not getting any errors so i think :confused: its working fine.




class my_db extends DB_Sql {
var $Host = "localhost"; //Database hostname (most likely localhost)
var $Database = "dbname"; //Database name
var $User = "dbuser"; //Database user uesrname
var $Password = "dbpass"; //Database user password
}// close class my_db


//clean the input using db connection

function cleanInput($value){
$db=new my_db;
$link = $db->Connect($User, $Password, $Database, $Host);
$cleanvalue=mysql_real_escape_string($value, $link);
return $cleanvalue;
}//close cleaninput




since this db file is included in every php file i have then in the file itself i just call



$var = cleanInput($_POST['whatever']);

Chris Hick
09-05-2011, 02:41 PM
You might like this version of your clean input. ^_^ Just a little bit extra to help you out.


function cleanInput($value){
$db=new my_db;
$link = $db->Connect($User, $Password, $Database, $Host);
$cleanvalue = strip_tags($value);
$cleanvalue = htmlentities($value);
$cleanvalue = stripslashes($value);
return mysql_real_escape_string(trim($cleanvalue), $link);
}//close cleaninput

durangod
09-05-2011, 03:05 PM
thanks chris,

I usually use htmlspecialchars instead if htmlentities, i dont suppose it matters. I dont know why they originally coded this to open and close the db connection with every query like they did but its a huge pain in the butt lol, and in my opinion not very efficient at all. But unless i want to overhaul the db structure i guess ill have to live with it.

I have actually been fighting this for some time now trying to figure out how to sanitize this thru the db connection or the query itself and was told doing it thru the query itself would mess up the query so i was back to square one. I could not do it in the file itself because of the way they structured the db connection it was not connected unless it actually ran a query.

Until i had the bright idea to check to see how phpbb did it, because i know they use a similar structure, dont know why i didnt think of that before. But that is basically how they do it in their db class.

I will just need to be carefull that i dont run every query thru this and possibly even have several versions of this with dif functions as some input i dont want to run all the functions on, such as a textarea i dont need to run everything on the textarea because it will turn out funky and also because part of my data is actual php file content i dont want to run everything on it.

So i think several version of this type of function depending on the data input will serve me well. Thanks so much.

PS i have been on this forum for a long time and i read your tag line, i dont even know how to make a topic resovled lol.

Chris Hick
09-05-2011, 03:47 PM
Why don't you just write your function like this and declare your $link as global that way when you can tuck this away in a functions.php file and call it when you like after you've already connected to the database earlier in any script:



function sanitizeString($var) {
global $link;
$var = strip_tags($var);
$var = htmlentities($var);
$var = stripslashes($var);
return mysql_real_escape_string( trim($var), $link);
}


And to change your topic to resolved, just edit your very first post. Then click go advanced. Then, put the prefix to resolved. :)

durangod
09-05-2011, 04:32 PM
thanks again, the main reason is that the functions php file is not included in every php file so i would need to go thru and add it to every file. But the db php file is included in every file so putting the function in the db php file as it is now i would not need to add any other include to every file which saves me tons of time.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum