Menu
Community /Pin to ProfileBookmark
@NogDogJan 22.2009 — #Some things to consider.
stripslashes() should only be used if magic_quotes_gpc is enabled (and you therefore need to undo its damage). You can use get_magic_quotes_gpc() to test if it is turned on.
htmlentities() is for escaping output, not filtering input. Applying it universally to all inputs could potentially cause more problems than it might fix.
You might want to take a look at the[url=http://www.php.net/import_request_variables]import_request_variables[/url] () function as a simple, built-in way to emulate register_globals.
Of course, the best solution would be to update the code to [i]not[/i] need register_globals type variables and use the proper super-global arrays instead. ? Both register_globals and magic_quotes_gpc are deprecated as of PHP5.3, and will be completely removed in PHP6.0, so it's really time for all of us PHP developers to update our code.
input sanitation
When I began codeing in PHP, I read that get and post variables were automatically available (Now I know they were talking about register globals). Many of my old form-handlers rely on register globals without much in the way of varification. I want to clean them up a bit without re-writing them. Would this code be a good start?
[code=php]foreach($_POST as $key=>$value){
$$key=stripslashes($value);
$$key=htmlentities($$key);
}
of course I could do the same for $_GET
Sign in
to post a comment3 Comments(s) ↴
0
@NogDogJan 22.2009 — #Some things to consider.stripslashes() should only be used if magic_quotes_gpc is enabled (and you therefore need to undo its damage). You can use get_magic_quotes_gpc() to test if it is turned on.
htmlentities() is for escaping output, not filtering input. Applying it universally to all inputs could potentially cause more problems than it might fix.
You might want to take a look at the
Of course, the best solution would be to update the code to [i]not[/i] need register_globals type variables and use the proper super-global arrays instead. ? Both register_globals and magic_quotes_gpc are deprecated as of PHP5.3, and will be completely removed in PHP6.0, so it's really time for all of us PHP developers to update our code.