Validating input variables?

I have attached to this reply a script that will validate both for displaying on the webpage and for mysql queries. Couldn't post it due to the daniweb validator.

Sorry cwarn abit confused when i downloaded the file, contents where:

function validation($input) {
$input = mysql_real_escape_string($input);
$input = str_replace(array('"','\'','<','>'),array('&#34;','&#39;','&#60;','&#62;'),$input);
return $input;
}

Well the code you posted is not what is in the text file because in the text file I str_replaced those characters with the unicode equivilent but daniweb code box just doesn't show unicode characters as the code and there for makes the 3rd line look incorrect. So try comparing what you posted to what is in the file I submitted and you will see the difference on the str_replace line.

why not use htmlentities()?

why not use htmlentities()?

Another function I wasn't aware of. With that function the script would look like the following:

function validation($input) {
$input = mysql_real_escape_string($input);
$input = htmlentities($input);
return $input;
}

Sorry cwarn but the file you uploaded only contains the code that I displayed.

Ya htmlentities() was one I forgot, I am just trying to find some procedures or methods I can implement to check my input data.

Sorry cwarn but the file you uploaded only contains the code that I displayed.

Well I shall post what was in the file but with every second character on that line being a space so the web browser or daniweb validator doesn't mess it up.

<?
//mysql connections

//then the function
function validation($input) {
$input = mysql_real_escape_string($input);
$ i n p u t   =   s t r _ r e p l a c e ( a r r a y ( ' " ' , ' \ ' ' , ' < ' , ' > ' ) , a r r a y ( ' & # 3 4 ; ' , ' & # 3 9 ; ' , ' & # 6 0 ; ' , ' & # 6 2 ; ' ) , $ i n p u t ) ; 
return $input;
}
?>

Now if you remove every second character on the 6th line which are all spaces then you will see what I mean. Also I checked the text file and yes it does contain the appropriate code which was not posted correctly earlier.

Sorry cwarn my internet is slow and didnt realise it was missing those characters.

Your custom function(which i like the idea behind it):
If the variable contains the LEFT ARRAY converts to the RIGHT ARRAY, this correct?

Now maybe there some big function we can create that contains all the functions in one so like, we put $input through all the functions I have listed previously along with your good custom idea ones?

you wouldnt want to put a value through all them methods in fact doing so would counteract some of the methods used e.g.

$value = "abc '123'";
$value = addslashes($value);
$value = stripslashes($value);

the previous would return the same string not performing any validation at all.

From experience all i have ever required to validate values before using them in potentially unsafe areas such as sql strings is the following.

function makeVarSqlReady($value) {
    if(get_magic_quotes_gpc()) {
        $value = stripslashes($value);
    }
    return mysql_real_escape_string($value);
}

// Example usage

$input = $_POST['somevalue'];
$input = makeVarSqlReady($input);
$sql = "SELECT * FROM table WHERE field = '$input'";

obviously other validation is required for the given circumstance e.g. if the value is meant to be numeric you would check it using "is_numeric" etc.

ya obviously you couldnt have them all in one function else it would contradict each other (pure example are slashes() functions) but i was hoping for a global function to cover validation or a few functions to cover like A, B, C, etc but its always good insight to see custom functions like cwarn it always sparks off other ideas.

Well as I mentioned earlier, the following function should be able to validate anything that goes into the url bar.

function validation($input) {
$input = mysql_real_escape_string($input);
$input = htmlentities($input);
return $input;
}

And if you wanted to make sure that your $_GET variables are always varified then use the following script.

function validate($input) {
$input = mysql_real_escape_string($input);
$input = htmlentities($input);
return $input;
}
foreach ($_GET AS $key => $val) {
$_GET[$key]=validate($val);
}

Well as I mentioned earlier, the following function should be able to validate anything that goes into the url bar.

function validation($input) {
$input = mysql_real_escape_string($input);
$input = htmlentities($input);
return $input;
}

And if you wanted to make sure that your $_GET variables are always varified then use the following script.

function validate($input) {
$input = mysql_real_escape_string($input);
$input = htmlentities($input);
return $input;
}
foreach ($_GET AS $key => $val) {
$_GET[$key]=validate($val);
}

an easier way:

array_map( 'validate',&$_GET );

Quick question what is the & in the before the $_GET do?

Confirmation, it runs the validation function for the $_GET variable?
Shouldnt the code be:

//possible for loop here instead here?
$input_name = array_map( 'validate',&$_GET['name'] );

the & is for reference, so when it runs that function on the values, it will updated the real $_GET array. you don't need to put it into a variable.

its the same as doing

$_GET = array_map( 'validate',$_GET );

now all the values of the get array have been validated. just use $_GET where ever.

Also, I just realised a slight flaw in my validator and that mysql_escape real would escape the slashes which would be converted to unicode leaving random slashes. To solve this ya just need to swap the order of the functions. So an update to the code is a follows:

function validate($input) {
$input = htmlentities($input);
$input = mysql_real_escape_string($input);
return $input;
}
$_GET = array_map( 'validate',$_GET );