Welcome, Guest: Register On Nairaland / LOGIN! / Trending / Recent / New
Stats: 3,150,254 members, 7,807,871 topics. Date: Wednesday, 24 April 2024 at 09:10 PM

PHP Functions To Clean Database Inputs - Programming - Nairaland

Nairaland Forum / Science/Technology / Programming / PHP Functions To Clean Database Inputs (1280 Views)

We Develop Website And Apps + Full Functions: Check In / Laravel And Phalcon Which Is Better? Need Inputs / Most Used Mysql Database Functions (2) (3) (4)

(1) (Reply) (Go Down)

PHP Functions To Clean Database Inputs by D34lw4p(m): 7:42am On Jan 26, 2016
1) Function for stripping out malicious bits


<?php
functioncleanInput($input){ 
  $search =array('@<script[^>]*?>.*?</script>@si',// Strip out javascript
'@<[\/\!]*?[^<>]*?>@si',// Strip out HTML tags
'@<style[^>]*?>.*?</style>@siU',// Strip style tags properly
'@<![\s\S]*?--[ \t\n\r]*>@'// Strip multi-line comments
); 
    $output =preg_replace($search,'', $input);return $output;}?>


2) Sanitization function

Uses the function above, as well as adds slashes as to not screw up database functions.


<?php
functionsanitize($input){if(is_array($input)){foreach($input as $var=>$val){            $output[$var]=sanitize($val);}}else{if(get_magic_quotes_gpc()){            $input =stripslashes($input);}        $input  =cleanInput($input);        $output =mysql_real_escape_string($input);}return $output;}?>


Usage


<?php
  $bad_string ="Hi! <script src=' http://www.evilsite.com /bad_script.js'></script> It's a good day!";  $good_string =sanitize($bad_string);// $good_string returns "Hi! It\'s a good day!"
// Also use for getting POST/GET variables
  $_POST =sanitize($_POST);  $_GET  =sanitize($_GET);?>



Join The Coders Forum www.nct.com.ng
Re: PHP Functions To Clean Database Inputs by DonSegmond(m): 3:25pm On Jan 26, 2016
This is terrible advice. Never do this. Sanitizing your own input will get you in trouble in some many ways.
There are so many creative ways to inject malformed and evil input into a database for SQL injection.

The best way to handle untrusted inputs is to delegate to the Database driver. Use prepared statements, with parameters

With PHP, you can get the benefit of that using PDO.

2 Likes

Re: PHP Functions To Clean Database Inputs by D34lw4p(m): 5:27pm On Jan 26, 2016
DonSegmond:
This is terrible advice. Never do this. Sanitizing your own input will get you in trouble in some many ways.
There are so many creative ways to inject malformed and evil input into a database for SQL injection.

The best way to handle untrusted inputs is to delegate to the Database driver. Use prepared statements, with parameters

With PHP, you can get the benefit of that using PDO.

lolzz you are saying rubbish man! total junk!!!
Re: PHP Functions To Clean Database Inputs by Kidstell: 2:54pm On Jan 28, 2016
D34lw4p:


lolzz you are saying rubbish man! total junk!!!

do you mean PDO is rubbish or you meant to say that using your own string as a test argument for your functions is best.
please shed more light.

secondly did you create the functions yourself

1 Like

Re: PHP Functions To Clean Database Inputs by Nobody: 3:39pm On Jan 28, 2016
Not advisable at all.

(1) (Reply)

I Need Assistance With Vb.net / How To Make My Code Shorter With Python Function (A Comprehensive Tutorial ) / Good Programmer Is Needed

(Go Up)

Sections: politics (1) business autos (1) jobs (1) career education (1) romance computers phones travel sports fashion health
religion celebs tv-movies music-radio literature webmasters programming techmarket

Links: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10)

Nairaland - Copyright © 2005 - 2024 Oluwaseun Osewa. All rights reserved. See How To Advertise. 9
Disclaimer: Every Nairaland member is solely responsible for anything that he/she posts or uploads on Nairaland.