sanitizeString function

Question

pallen 0 Light Poster

14 Years Ago

I am trying out a function from a book for the first time. I could use some help. It goes:

function sanitizeString($var)
{
    $var = stripslashes($var);
    $var = htmlentities($var);
    $var = strip_tags($var)'
    return $var;
}

I have two simple forms. One that asks for an email address and another that does fahrenheit-celsius conversions (interesting stuff, I know). I have been testing this sanitizeString function out and it doesn't seem to do anything. Any HTML, or slashes or anything I put in text fields are not stripped of any of the harmful stuff. The code in its entirety is:

<?php

$f = $c = "";

if (isset($_POST['f'])) $f = sanitizeString($_POST['f']);
if (isset($_POST['c'])) $c = sanitizeString($_POST['c']);

if ($f != '')
{
	$c = intval((5/9) * ($f - 32));
	$out = "$f equals $c c";
}
elseif ($c != '')
{
	$f = intval((5/9) * ($c + 32));
	$out = "$c c equals $f f";
}
else $out = "Please enter data in at least on field";

if (isset($_POST['email']))
	$email = sanitizeString($_POST['email']);
	
echo <<<_END
<html><head<title>Email & Temp Conv.</title>
</head><body>

<pre>
Enter fahrenheit or celsius and click convert

<b>$out</b>
<form method="post" action="formValidation.php">
Fahrenheit <input type="text" name="f" size="7" /><br />
   Celsius <input type="text" name="c" size="7" /><br />
   		   <input type="submit" value="Convert" /><br />
</form></pre>


<form method="post" action="formValidation.php">
Email <input type="text" name="email" />
	  <input type="submit" name="submit" value="Send" /><br />
	  <b>$email</b>
</form>

		</div>
       
    </div></body></html>
_END;

	
function sanitizeString($var)
{
        $var = stripslashes($var);
	$var = htmlentities($var);
	$var = strip_tags($var);
	return $var;
}
?>

Has anyone used methods like these? My expectation was that when I put in slashes or some HTML, it would be taken out. That doesn't seem to be happening. I'm in the middle of trying to put a site together with a searchable database and customers logging in and the whole shebang, so I would like to be able to have some security. Any help is much appreciated. Thanks in advance.

cybersecurity php

5 Contributors
5 Replies
1K Views
6 Years Discussion Span
Latest Post 7 Years Ago Latest Post by owlowl076

hielo 65 Veteran Poster

14 Years Ago

Read http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc
if that directive is enabled on your server and you typed/submitted the following:
O'Brian/O'Malley

then the server will auto-convert it to:
O\'Brian\/O\'Malley

then if you call stripslashes() it will change it back to what you originally typed:
O'Brian/O'Malley

notice that it removes only BACK slashes, not forward slashes.

Also, htmlentities() will first change ... to  , but strip_tags() does NOT "understand"  . It will remove the tags only if they are "unencoded". So swap lines 53 and 54.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

pallen 0 Light Poster · Answer 1 · 2010-10-14T10:31:58+00:00

Read http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc
if that directive is enabled on your server and you typed/submitted the following:
O'Brian/O'Malley
then the server will auto-convert it to:
O\'Brian\/O\'Malley
then if you call stripslashes() it will change it back to what you originally typed:
O'Brian/O'Malley
notice that it removes only BACK slashes, not forward slashes.
Also, htmlentities() will first change ... to  , but strip_tags() does NOT "understand"  . It will remove the tags only if they are "unencoded". So swap lines 53 and 54.

You're exactly right hielo. Thank you. You really can't trust what you read in textbooks.

efrilinux 0 Newbie Poster · Answer 2 · 2015-05-10T16:50:28+00:00

You can use the function mysql_real_escape_string, Like this.

if (isset($_POST['f'])) $f = mysql_real_escape_string($_POST['f']);
if (isset($_POST['c'])) $c = mysql_real_escape_string($_POST['c']);

diafol · Answer 3 · 2015-05-10T17:02:58+00:00

As most people shold be aware, mysql_* functions have now been deprecated. In other words DO NOT use them. Use PDO or mysqli instead.

If you need to sanitize input before placing into a query, you'd be better to use a prepared statement and bind values/parameters. If you have no idea what this means - check out mysqli and PDO in the php.net manual.

So please, no more posts about mysql - especially if all they serve to do is disinter a 4 year old post, which seemed to have had a decent burial.

owlowl076 0 Newbie Poster · Answer 4 · 2017-03-26T15:52:02+00:00

I would like to read about it anymore. Prompt, what literature to study?