1 2 3 4 5 6 7 8 9 10
<?php $variable_1 = str_replace("\'", "''", htmlspecialchars(trim($HTTP_POST_VARS['variable_1']))); $variable_2 = str_replace("\'", "''", htmlspecialchars(trim($HTTP_POST_VARS['variable_2']))); $variable_3 = str_replace("\'", "''", htmlspecialchars(trim($HTTP_POST_VARS['variable_3']))); $variable_4 = str_replace("\'", "''", htmlspecialchars(trim($HTTP_POST_VARS['variable_4']))); $variable_5 = str_replace("\'", "''", htmlspecialchars(trim($HTTP_POST_VARS['variable_5']))); $variable_6 = str_replace("\'", "''", htmlspecialchars(trim($HTTP_POST_VARS['variable_6']))); ....etc
Refactorings
No refactoring yet !
techietim
October 12, 2007, October 12, 2007 23:32, permalink
1 rating.
Login to rate!
Try this.
1 2 3
foreach($_POST as $pname => $pvalue){
$_POST[$pname] = str_replace(array("\\", '\\'), array("\'", '\"'), htmlspecialchars(trim($pvalue)));
}
blank714.myopenid.com
October 12, 2007, October 12, 2007 23:38, permalink
No rating.
Login to rate!
how exactly would that work?... could you add some test variables (variable_1,variable_2, etc)
thanks
techietim
October 13, 2007, October 13, 2007 00:50, permalink
No rating.
Login to rate!
That cleans all of the $_POST values. Example usage below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
<?php if(isset($_POST['asdasd'])){ foreach($_POST as $pname => $pvalue){ $_POST[$pname] = str_replace(array("\\", '\\'), array("\'", '\"'), htmlspecialchars(trim($pvalue))); } print_r($_POST); }else{ ?> <form action="" method="post"> <input name="asdasd222" value="ssssssssssss" /> <input name="asdasdas" value="ssssq42345'''" /> <input name="asdasdastt" value="ssssq42345'''" /> <input type="submit" name="asdasd" value="test" /> </form> <?php }
typefreak
October 13, 2007, October 13, 2007 15:42, permalink
2 ratings.
Login to rate!
I don't know why you're using the str_replace function, but if you need it, put in on the line containing
return htmlspecialchars(trim($v));
Using this method, you can also automatically handle/secure any submitted array, regardless of its dimensions.
1 2 3 4 5 6 7 8 9
function secure_input($v) {
if ( is_array($v) ) {
return array_map('secure_input', $v);
}
else {
return htmlspecialchars(trim($v));
}
}
$_POST = secure_input($_POST);
blank714.myopenid.com
October 13, 2007, October 13, 2007 18:05, permalink
No rating.
Login to rate!
so this could work like this?
thanks
1 2 3 4 5 6 7
$variable_1 = secure_input($_POST[$variable_1]); $variable_2 = secure_input($_POST[$variable_2]); $variable_3 = secure_input($_POST[$variable_3]); echo variable_1; echo varia ... etc
typefreak
October 14, 2007, October 14, 2007 10:00, permalink
No rating.
Login to rate!
Overdoing it.
After the lines of code I posted (including the $_POST = secure_input($_POST); line), all $_POST['xxx'] are secured. You don't need to call the function for each var again.
blank714.myopenid.com
October 14, 2007, October 14, 2007 15:40, permalink
No rating.
Login to rate!
wow okay cool, thanks
JWvdV
October 20, 2007, October 20, 2007 14:30, permalink
No rating.
Login to rate!
1 2 3 4 5 6 7 8
<?php function secure_input(&$v) { if(is_array($v)) foreach($v as $i => $a) secure_input($v[$i]); elseif(is_string($v)) $v = htmlspecialchars(str_replace("'", "''", trim(get_magic_gpc()? stripslashes($v) : $v))); return true; } secure_input($_POST); ?>
Mike
November 21, 2007, November 21, 2007 13:19, permalink
No rating.
Login to rate!
1 2 3
If you use this code, you can no longer insert those strings into a DB, unless you want corrupted data, or unless you manually unescape them before doing so. A nicer approach is to wrap the strings in a class, like SecureString, and have methods like toHtml(), toSql(), getRaw(), etc.
im guessing there has to be a shorter way to do this, because when you start getting more than 10 post variables, this code starts looking real crowded
these variables can be anything, even user inputed html code so it has to be turned into htmlspecialchars