₦airaland Forum

Welcome, Guest: RegisterLoginWith GoogleTrendingRecentNew

Stats: 3,325,175 members, 8,420,662 topics. Date: Friday, 05 June 2026 at 08:31 AM

Toggle theme

PHP Functions To Clean Database Inputs - Programming - Nairaland

Nairaland ForumScience/TechnologyProgrammingPHP Functions To Clean Database Inputs (1355 Views)

1 Reply (Go Down)

PHP Functions To Clean Database Inputs by D34lw4p(op): 7:42am On Jan 26, 2016
1) Function for stripping out malicious bits


<?php
functioncleanInput($input){ 
  $search =array('@<script[^>]*?>.*?</script>@si',// Strip out javascript
'@<[\/\!]*?[^<>]*?>@si',// Strip out HTML tags
'@<style[^>]*?>.*?</style>@siU',// Strip style tags properly
'@<![\s\S]*?--[ \t\n\r]*>@'// Strip multi-line comments
); 
    $output =preg_replace($search,'', $input);return $output;}?>


2) Sanitization function

Uses the function above, as well as adds slashes as to not screw up database functions.


<?php
functionsanitize($input){if(is_array($input)){foreach($input as $var=>$val){            $output[$var]=sanitize($val);}}else{if(get_magic_quotes_gpc()){            $input =stripslashes($input);}        $input  =cleanInput($input);        $output =mysql_real_escape_string($input);}return $output;}?>


Usage


<?php
  $bad_string ="Hi! <script src=' http://www.evilsite.com /bad_script.js'></script> It's a good day!";  $good_string =sanitize($bad_string);// $good_string returns "Hi! It\'s a good day!"
// Also use for getting POST/GET variables
  $_POST =sanitize($_POST);  $_GET  =sanitize($_GET);?>



Join The Coders Forum www.nct.com.ng
Share
Re: PHP Functions To Clean Database Inputs by DonSegmond(m): 3:25pm On Jan 26, 2016
This is terrible advice. Never do this. Sanitizing your own input will get you in trouble in some many ways.
There are so many creative ways to inject malformed and evil input into a database for SQL injection.

The best way to handle untrusted inputs is to delegate to the Database driver. Use prepared statements, with parameters

With PHP, you can get the benefit of that using PDO.
2 Likes
Share
Re: PHP Functions To Clean Database Inputs by D34lw4p(op): 5:27pm On Jan 26, 2016
DonSegmond:
This is terrible advice. Never do this. Sanitizing your own input will get you in trouble in some many ways.
There are so many creative ways to inject malformed and evil input into a database for SQL injection.

The best way to handle untrusted inputs is to delegate to the Database driver. Use prepared statements, with parameters

With PHP, you can get the benefit of that using PDO.
lolzz you are saying rubbish man! total junk!!!
Share
Re: PHP Functions To Clean Database Inputs by Kidstell: 2:54pm On Jan 28, 2016
D34lw4p:
lolzz you are saying rubbish man! total junk!!!
do you mean PDO is rubbish or you meant to say that using your own string as a test argument for your functions is best.
please shed more light.

secondly did you create the functions yourself
1 Like
Share
Re: PHP Functions To Clean Database Inputs by Nobody: 3:39pm On Jan 28, 2016
Not advisable at all.
Share
1 Reply

We Develop Website And Apps + Full Functions: Check InLaravel And Phalcon Which Is Better? Need InputsMost Used Mysql Database Functions234

How To Install And Customize A Wordpress Theme – TutsplusWhy I Love Reading Other People’s Code And You Should TooSchool Information Management System (SIMS) In Nigeria