greetings...
I'm wondering what more advanced coders would think ot this:
$_POST['myvar'] = clean($_POST['myvar']);
and now I can use POST directly:
$sql= "select * from T1 where myvar='$_POST[myvar]' " ;
function clean($var){
return addslashes(trim($var)); // whatever
}
The reason I came up with this is because i often end up calling
clean() several times on the same variable. So to avoid declaring a php
variable for each posted one, I would use an array
$arr['myvar']=clean($_POST['myvar'])) ;
$arr['myvar2']=clean($_POST['myvar2'])) ;
but since $_POST is already there, why not use it? The benefit is
simpler code, but maybe there are some security issues - that's what I
don't know.
15  7119 
zorro wrote: greetings...
I'm wondering what more advanced coders would think ot this:
$_POST['myvar'] = clean($_POST['myvar']);
and now I can use POST directly:
$sql= "select * from T1 where myvar='$_POST[myvar]' " ;
function clean($var){
return addslashes(trim($var)); // whatever
}
The reason I came up with this is because i often end up calling
clean() several times on the same variable. So to avoid declaring a
php variable for each posted one, I would use an array
$arr['myvar']=clean($_POST['myvar'])) ;
$arr['myvar2']=clean($_POST['myvar2'])) ;
but since $_POST is already there, why not use it? The benefit is
simpler code, but maybe there are some security issues - that's what I
don't know.
My solution:
/* create array containing expected POST variables, al others are useless */
$expected = array('submit', 'text1' etc.);
foreach($expected as $var){
if(get_magic_quotes_gpc()){
$_POST[$var] = stripslashes($_POST[$var]);
}
$postvars[$var] = mysql_real_escape_string(trim($_POST[$var]));
}
And futher on I only use $postvars, $_POST is left alone.
If you just want to clean all POST variables:
foreach($_POST as $key => $value){
if(get_magic_quotes_gpc()){
$value = stripslashes($value);
}
$_POST[$key] = mysql_real_escape_string(trim($value));
}
Grtz,
--
Rik Wasmus
zorro wrote: $_POST['myvar'] = clean($_POST['myvar']);
I often do such things -- why create a new array when $_POST already
exists (and is conveniently a superglobal!)?
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
zorro wrote: greetings...
I'm wondering what more advanced coders would think ot this:
$_POST['myvar'] = clean($_POST['myvar']);
and now I can use POST directly:
$sql= "select * from T1 where myvar='$_POST[myvar]' " ;
function clean($var){
return addslashes(trim($var)); // whatever
}
The reason I came up with this is because i often end up calling
clean() several times on the same variable. So to avoid declaring a php
variable for each posted one, I would use an array
$arr['myvar']=clean($_POST['myvar'])) ;
$arr['myvar2']=clean($_POST['myvar2'])) ;
but since $_POST is already there, why not use it? The benefit is
simpler code, but maybe there are some security issues - that's what I
don't know.
I don't like it at all.
First of all, what happens if you need to access the unchanged versions of the
$_POST variables? Maybe not now - but you might in the future. Your code may
*look* simpler - but you're just made it much harder to modify in the future.
Second, if you're calling mysql, you should be using mysql_real_escape_string
instead of addslashes.
If you're calling clean for the same variable multiple times, you should be
storing the value in a new variable the first time, then use it there. For
instance -
$myvar = clean($_POST['myvar']);
No need to call the same function repeatedly for the same data.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Jerry Stuckle wrote: First of all, what happens if you need to access the unchanged versions
of the $_POST variables? Maybe not now - but you might in the future.
Then you add
<?php
$origpost = $_POST;
?>
at the top of your file. :-)
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Toby Inkster wrote: Jerry Stuckle wrote:
First of all, what happens if you need to access the unchanged versions
of the $_POST variables? Maybe not now - but you might in the future.
Then you add
<?php
$origpost = $_POST;
?>
at the top of your file. :-)
Hi, Toby,
Well, as you just said:
"... why create a new array when $_POST already exists (and is conveniently a
superglobal!)?"
:-)
People are used to using $_POST; adding another variable in its place makes
things more confusing. Additionally, if you ever need to merge in other
routines which use $_POST, you'll need to change that code.
The result could end being that some of your code uses $_POST and some doesn't.
This can rapidly become confusing.
And BTW, $origpost won't be a superglobal.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Jerry Stuckle wrote: I don't like it at all.
First of all, what happens if you need to access the unchanged
versions of the $_POST variables? Maybe not now - but you might in
the future. Your code may *look* simpler - but you're just made it
much harder to modify in the future.
I've never had the need to have BOTH the "cleaned" and the "dirty" variable.
So, with in combination the earlier posted code, you could simply make an
array of variabled to clean:
$vars_to_clean = arra('var1', 'var2', 'var3')
foreach($vars_to_clean as $var){
if(isset($_POST[$var])){$_POST[$var] =
mysql_real_escape_string(trim($_POST[$var]));}
}
Works OK for me, but then again, I haven't done that big a projects.
Alternatively, you could:
foreach($_POST as $key => $value){
$_POST['clean_'.$key] = mysql_real_escape_string(trim($value));
}
2 drawbacks:
- allthough it's possible, adding extra keys to the $_POST array isn't to my
taste...
- you'd have to guard yourself from a POST variables already beginning with
'clean_', which offcourse would become clean_clean_something... So no
checking on wether the key begins with 'clean_',
Grtz,
--
Rik Wasmus
A good general rule of thumb is to leave super globals alone as much as
possible. If you do need to modify them, modify only the parts you
need. Modifying super globals is just asking for trouble when you
start introducing code that assumes (and relies on) those superglobals
are untouched. It may be a bit more work, but i think its very much
worth it with regards to input validation.
Also's:
I also don't see a difference between this and the god forsaken
magic_quotes ini option.
addslashes() doesn't escape everything necessary to make a string safe
for an SQL query (iirc, it was something in oracle or postgres)
A fun gotcha would be when you clean() something twice, but then only
stripslashes() once, giving you a nice growing list of \'s for the
users input, which is incredibly annoying to the poor guy trying to use
the form.
I leave the $_POST and $_GET array untouched and if I want to work with
the values stored in them I either stick them in individual local
variables or in a local array. That way the original values can be
referenced later if required.
One of the first rules I learned when I started programming was never
modifed passed-in variables directly, and the $_POST array and $_GET
array are essentially values passed into your script and their
super-global nature means a seemingly unrelated piece of code could be
broken by accidentally re-assigning an incorrect value to the array.
What about removing the backslashes from _GET/_POST/_COOKIE/_REQUEST
and making it a real raw variable instead of "cleaning" it.
Only "clean" things when they are in an SQL query, and you do
addslashes() with the variable. This saves you time and the magic
quotes are unessecarily in the first place (where people don't know how
to protect self from SQL injection)...
Take this for a good example: http://de2.php.net/manual/en/functio...shes.php#60786
Initialize it at the start and then work with that. I am aware of the
"double" usage but I am also aware that you sometimes can get beaten by
the magic quotes ;] (so do it now, now later!)
What about removing the backslashes from _GET/_POST/_COOKIE/_REQUEST
and making it a real raw variable instead of "cleaning" it.
Only "clean" things when they are in an SQL query, and you do
addslashes() with the variable. This saves you time and the magic
quotes are unessecarily in the first place (where people don't know how
to protect self from SQL injection)...
Take this for a good example: http://de2.php.net/manual/en/functio...shes.php#60786
Initialize it at the start and then work with that. I am aware of the
"double" usage but I am also aware that you sometimes can get beaten by
the magic quotes ;] (so do it now, not later!)
Drakazz wrote: What about removing the backslashes from _GET/_POST/_COOKIE/_REQUEST
and making it a real raw variable instead of "cleaning" it.
Only "clean" things when they are in an SQL query, and you do
addslashes() with the variable. This saves you time and the magic
quotes are unessecarily in the first place (where people don't know how
to protect self from SQL injection)...
Take this for a good example:
http://de2.php.net/manual/en/functio...shes.php#60786
Initialize it at the start and then work with that. I am aware of the
"double" usage but I am also aware that you sometimes can get beaten by
the magic quotes ;] (so do it now, now later!)
I wouldn't call it a *good* example. Just someone asking about how to do
something and some suggestions.
Like William, I leave $_GET, $_POST, etc. strictly alone. If I need to clean a
value, I clean it and save it in another variable.
And you shouldn't be using add_slashes() with MySQL - you should be using
mysql_real_escape_string().
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Jerry, thanks for telling me about mysql_real_escape_string
However, at least what I prefer is that the _GET and other user input
variables would be as they were sent to the browser, in the sense that
' wouldn't be escaped to \' . A good example is you trying to write to
a file :x
Drakazz wrote: Jerry, thanks for telling me about mysql_real_escape_string
However, at least what I prefer is that the _GET and other user input
variables would be as they were sent to the browser, in the sense that
' wouldn't be escaped to \' . A good example is you trying to write to
a file :x
Drakazz,
They won't be escaped if magic quotes is off.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
...that's why you check ;)
Drakazz wrote: ..that's why you check ;)
No, I just don't host at places with magic quotes on. And tell my customers to
do the same.
After all - why have them on? It's overhead to escape all those chars, and more
overhead to remove them!
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
================== This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: StinkFinger |
last post by:
Hello all,
After enabling sessions for my website I have approx. 785 files in my
sessiondata folder. Now, I know what these are, however, I don't know
when/how is the best way to clean them...
|
by: Ellen K. |
last post by:
What tools has everyone used for cleaning name and address data
(including identifying not-immediately-obvious duplicates) in
connection with a CRM project or the Customer dimension of a data...
|
by: Matej Cepl |
last post by:
Hi,
can anybody help me with the cleaning of really messy HTML from
the news site into really clean XHTML, which I would like to
then analyze with some qualitative analysis (probably exporting...
|
by: Pierre Saint-Jacques |
last post by:
DB2 V8.2 has a new envir. var.
DB2_USE_ALTERNATE_PAGE_CLEANING=YES
The docs. mention that this will make DB2 ignore chngpgs_thresh and use
softmax to even the rate of writing out of the bp's.
...
|
by: Anthony leong kar keong |
last post by:
Hi i would like to ensure some code cleaning methods.
#1 COM objects
Is the following the correct way ?
objMe = null;
#2 Dispose VS. null
Mydataset.dispose();
or
|
by: Mikey |
last post by:
Do NativeWindows get destroyed when the app shuts down?
While my app is running I can Spy++ and see my NativeWindow handle.
After app shutdown it's no longer there.
But this is confusing...
|
by: Jamey Shuemaker |
last post by:
I've seen multiple threads (several in the last 6 months or so) on this
topic, but I wanted to clarify my practices. I understand the need for
cleaning object variables by setting them to Nothing...
|
by: PAF |
last post by:
Hi,
I'm writing a WinForms application in .NET and I have a problem.
I use the WM_SETREDRAW message to avoid flicking in some component
during processes (populating, etc...). But when the...
|
by: DR |
last post by:
GC.Collect() not cleaning memory, how to find out what references to lots of
memory still exist?
When all my processign is done i set everything to null and then:
GC.Collect();
and then...
|
by: Now You Know |
last post by:
Carpet Cleaners Los Angeles Home Carpet Rug Upholstery Cleaning
Phone 1 310 925 1720 OR 1-818-386-1022
Local Call California Wide
We offer carpet cleaning services such as; Steam Cleaning, Dry...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |
