Page 1 of 1
String Cleaning Function
Posted: Wed Feb 02, 2011 8:44 pm
by Gate
Make a function in your common includes file as such:
Code: Select all
<?php
//////////////////////////////////////////////////////
// Function: Secure_Input()
// Use: Secures input against SQL/Script injection
//////////////////////////////////////////////////////
function secure_input($input){
$input = htmlentities($input);
$input = mysql_real_escape_string($input);
$input = strip_tags($input);
return $input;
}
//////////////////////////////////////////////////////
// End - Secure_Input()
//////////////////////////////////////////////////////
?>
Example Code:
Code: Select all
<?php
$variable = $_POST['variable'];
$clean_variable = secure_input($variable);
?>
Re: String Cleaning Function
Posted: Wed Feb 02, 2011 9:24 pm
by Jackolantern
Don't you need to either pass the parameter by reference, such as:
Code: Select all
function secure_input(&$input){ //added pass-by-reference symbol
$input = htmlentities($input);
$input = mysql_real_escape_string($input);
$input = strip_tags($input);
}
...or return the value?
Code: Select all
function secure_input($input){
$input = htmlentities($input);
$input = mysql_real_escape_string($input);
$input = strip_tags($input);
return $input;
}
Otherwise $input will be a local copied-by-value variable and will simply go out of scope when the function returns without changing the underlying value of the variable passed into the function call.
Re: String Cleaning Function
Posted: Thu Feb 03, 2011 7:30 am
by Gate
Jackolantern wrote:Don't you need to either pass the parameter by reference, such as:
Code: Select all
function secure_input(&$input){ //added pass-by-reference symbol
$input = htmlentities($input);
$input = mysql_real_escape_string($input);
$input = strip_tags($input);
}
I've only ever seen the passing of parameters by reference in a class, never seen much use of them in general and never seen there use in a professional web project, so i'll stick to my way for now
Jackolantern wrote:
...or return the value?
Code: Select all
function secure_input($input){
$input = htmlentities($input);
$input = mysql_real_escape_string($input);
$input = strip_tags($input);
return $input;
}
Otherwise $input will be a local copied-by-value variable and will simply go out of scope when the function returns without changing the underlying value of the variable passed into the function call.
You don't actually need to return the value in the function for this code to work if the function is used as defined below, the variable does not lose scope.
although it is good practise to always have the return command in there, so thanks for pointing it out, edited the code to reflect the changes
Re: String Cleaning Function
Posted: Fri Feb 04, 2011 12:13 am
by Jackolantern
Gate wrote:Jackolantern wrote:Don't you need to either pass the parameter by reference, such as:
Code: Select all
function secure_input(&$input){ //added pass-by-reference symbol
$input = htmlentities($input);
$input = mysql_real_escape_string($input);
$input = strip_tags($input);
}
I've only ever seen the passing of parameters by reference in a class, never seen much use of them in general and never seen there use in a professional web project, so i'll stick to my way for now
You are right. Passing by reference is typically considered bad practice and should only be used for optimization, or when no other option exists, since it can introduce difficult-to-track bugs into the application.
Gate wrote:
Jackolantern wrote:
...or return the value?
Code: Select all
function secure_input($input){
$input = htmlentities($input);
$input = mysql_real_escape_string($input);
$input = strip_tags($input);
return $input;
}
Otherwise $input will be a local copied-by-value variable and will simply go out of scope when the function returns without changing the underlying value of the variable passed into the function call.
You don't actually need to return the value in the function for this code to work if the function is used as defined below, the variable does not lose scope.
although it is good practise to always have the return command in there, so thanks for pointing it out, edited the code to reflect the changes
Hmm...I was curious about this since the PHP Manual says that the default behavior was pass-by-value. I tried out a function that simply re-assigned the string value once it was passed in, used the same variable name, and it didn't work. In fact, it didn't even have the initial, out-of-function value when I echo'd it, which was very odd. PHP has some really strange bits to it... lol
Re: String Cleaning Function
Posted: Fri Feb 04, 2011 2:08 pm
by Gate
It seem's that the passing by reference symbols are PHP version's of pointers, where as pointer's in C++ actually have a use in referencing blocks of memory, PHP it seems to me, lacks any use with it's 'pointer' system in a web enviroment
Re: String Cleaning Function
Posted: Fri Feb 04, 2011 9:10 pm
by Jackolantern
Yeah, it is just a hold-over from C/C++ for passing-by-reference. Most modern languages use the keyword "ref" in front of the parameter to signal a pass-by-reference rather than use the old C++ "&" symbol. As you mentioned, PHP does not have true pointer arithmetic or functionality, so it is kind of silly that they used it (particularly since it was added after Java changed the industry standard to using the "ref" keyword).
Re: String Cleaning Function
Posted: Sat Feb 05, 2011 9:11 pm
by Chris
Memory saver:
Code: Select all
function secure_input($input)
{
return htmlentities(mysql_real_escape_string(strip_tags($input)));
}
Re: String Cleaning Function
Posted: Mon Feb 07, 2011 10:30 pm
by Gate
Chris wrote:Memory saver:
Code: Select all
function secure_input($input)
{
return htmlentities(mysql_real_escape_string(strip_tags($input)));
}
Rather go for clarity,good formatting and comments over saving maybe 2 bytes of memory. you should too!