This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
The ultimate clean/secure function
When it comes to sanitizing POST/GET data could we just program a loop to go through all set variables in a universal php include file and never had to worry about it in code?
I have always done a function called sanitize to do this but this seems to make sense.
You may be better off creating a function in your application that would do it when needed. Then you'll still have the original posted values in case you need them and you can modify the function as needed based on what youre cleansing by passing it options. For example:
function getPostField($field)
{
// all your sanitation and isset/empty checks
$val = sanitize($_REQUEST[$field]);
// ...
return $val;
}
Yes, of course. Some frameworks do this automatically and store the sanitized REQUEST variables in a different array or object, so the original data is still available should it ever be required.
Related
This question already has answers here:
what does a question mark mean before a php form action
(4 answers)
Closed 2 years ago.
Can someone explain to me what is the use of ?action=add&code= and what they do in the code below? I have tried to search it on Google but they gave me HTML action atribute instead.
<form method="post" action="index.php?action=add&code=<?php echo $product_array[$key]["code"]; ?>">
Sorry for the noob question.Thanks for the reply.
Those are called query string values or parameters, they are one of several potential parts of a URL. Each key/value pair provides information that the server-side code can use when constructing the response to send back to the client. (Or the server-side code could even simply ignore them, they have no harmful effect.)
For example, given this key/value pair on the query string:
action=add
In the server-side code you can get the value "add" by fetching it from the query string by its key:
$action = $_GET["action"];
// $action now contains the string "add"
Presumably the logic in the code would then do something based on that value.
action is the name of a "normal" GET variable $_GET['action'].
You must look in the further code to see where it appears and what it is used for.
There is no standard for that
In the url after ? we can pass the values onto another webpage which can be used further.
This question already has answers here:
Is it possible to curry method calls in PHP?
(8 answers)
Closed 5 years ago.
Don't necessarily have a problem with how PHP does this or anything, more just a question out of curiosity. I am familiar with functional programming but am by no means an expert. I am writing functions currently and although I have no requirement for them to be functional, that may change in the future. So best to be prepared I say.
My question is, how would you curry a function like in_array?
From what I understand we have two parameters, needle and haystack.
Both seem to be required when the function is called.
We must know the array we are searching at the start of the function, and we must also know what we are searching for.
To me it seems hard to force any partial application or currying solution whereby we might know one or the other at a later point.
I suppose you could have a non-generic function whereby you specify the needle within the function. I did see something about spattering in Google. How would you handle this if asked to rewrite the function and curry it? I know I specified PHP but I suppose any language is really fine as long as the specs are the same.
Well, it's relatively straightforward in PHP - almost the same as in any other language that treats functions as values. For example:
function create_search_by_array($arr) {
return function($needle) use ($arr) {
return in_array($needle, $arr);
};
}
$search_in_1_to_10 = create_search_by_array(range(1, 10));
var_dump($search_in_1_to_10(1)); // true
var_dump($search_in_1_to_10(10)); // true
var_dump($search_in_1_to_10(11)); // false
The only caveat here is use ($arr) construct: without it, the inner function won't be able to see the corresponding variable from an outer scope.
This question already has answers here:
The ultimate clean/secure function
(5 answers)
Closed 7 years ago.
I need make security system in php application.
I have problem with that, because this project is very big and haven't any security. In all queries somebody use $_POST variables without e.g mysql_real_escape_string.
Changing each query to PDO or MySQLi will take a lot of time.
I know that this is the best way, but Can I protect code generally - in core of application.
e.g. :
foreach ($_POST as $name => $data)
{
$_POST[$name] = mysql_real_escape_string($data);
}
foreach ($_GET as $name => $data)
{
$_GET[$name] = mysql_real_escape_string($data);
}
I read that this idea is stupid in this
topic
It's a good thing you know mysql is deprecated, but since you still want to use it, I can help you with the way I did mine.
I usually create a function for stripping, trimming and escaping inputs and outputs.
So:
function sanitizer ($input)
{
return mysql_real_escape_string (htmlspecialchars(trim($input)));
}
Then before any input or output I used to pass the fields through the function.
$name = sanitizer($_POST['name']);
And that's all. I hope it helped.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
Can't use PDO.
I have read many questions here, this is my first time trying to do something for people outside my office, so I need to sanitize data input, researching about it found this function.
function clean_data($input){
$input = trim(htmlentities(strip_tags($input,",")));
if (get_magic_quotes_gpc())
$input = stripslashes($input);
$input = mysql_real_escape_string($input);
return $input;
}
example:
$vartodb = clean_data($_POST['yourformfieldhere']);
Its ok this function to sanitize data?
Not really.
If you are going to put the variable in a database, you would be better off using a prepared statement with bound variables. If you cannot use PDO, you can do that as well with mysqli. If you are really stuck with the mysql_* functions, you would only need mysql_real_escape_string.
If you output to the browser, you only need htmlspecialchars.
In short, there is no universal sanitizing function, you need to prepare / escape / encode your data for the medium you are outputting to.
This is a vast topic - this function is ok but there are much better ways to do it.
Check mysqli_real_escape_string: http://php.net/manual/en/mysqli.real-escape-string.php
Don't forget prepared statements: http://php.net/manual/en/pdo.prepared-statements.php
Also, what if your input is of type integer? You should be typecasting.
Also, what if someone adds extra fields to your web form?
While this function does do some sanitisation it is only the tip of the iceberg, like I said it is a vast topic.
In my opinion this is sloppy code that offers little protection.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
PHP - Calling functions with multiple variables
function test($var1=null, $var2=null, $var3=null){
//smart stuff goes here
}
Do I have to every time call the function passing all variables?
test(null, $var2, null);
I'd like to pass only $var2 because all the other variables have default values... Is it even possible?
In JavaScript we can pass an object to the function, is there something similar in PHP?
You only have to pass the arguments up to and including the last argument you do not wish to use the default value for. In your example, you could do this:
test(null, $var2);
The last argument can be omitted since the default value is satisfactory. But the first one must be included so PHP knows that you are setting the value for the second parameter.
Until PHP offers named parameters like Python does, this is how it has to work.