TalkPHP - View Single Post - Cleaning data before entering database question

Killswitch · 12-23-2007, 10:45 PM

Hello all, I know what to use to clean data before sending it to the database, but have a question about whether this would work out or not...

I am using XAJAX to send all form values in an array to a function which enters the database and returns a success message. Instead of checking if magic quotes is on or off, and cleaning each post individually based upon that, is it safe to run a foreach on the $aFormData array variable and clean just that? Would that clean each of the posted values?

I can clean each by $aFormData = stripslashes($aFormData['section_title']) and so on, but it just creates a huge block and don't think it is much needed.

Basically, this is what the function is looking like so far...

Code:

function addSectionData ( $aFormData ) {

	if(get_magic_quotes_gpc()) {
        	$secname        = stripslashes( $_POST['secname'] );
        	$description    = stripslashes( $_POST['description'] );
		$ordering       = stripslashes( int( $_POST['ordering'] ) );
		$access         = stripslashes( int($_POST['access'] ) );
		$publishing     = stripslashes( int($_POST['publishing'] ) );
        } else {
        	$secname        = $_POST['secname'];
        	$description    = $_POST['description'];
		$ordering       = $_POST['ordering'];
		$access         = $_POST['access'];
		$publishing     = $_POST['publishing'];
        }

	$password = md5( trim ( $aFormData['password'] ) );	
// Query down here, not going to continue, not needed
}

I also plan to slap a mysql_real_escape_string (I made a new function to use instead, just to shorten the name) in the actual query.

One final question... do I have to send the password through strip slashing as well?

Thanks for your support :D

12-23-2007, 10:45 PM	#1 (permalink)
Killswitch The Contributor Join Date: Feb 2007 Posts: 61 Thanks: 9	Cleaning data before entering database question Hello all, I know what to use to clean data before sending it to the database, but have a question about whether this would work out or not... I am using XAJAX to send all form values in an array to a function which enters the database and returns a success message. Instead of checking if magic quotes is on or off, and cleaning each post individually based upon that, is it safe to run a foreach on the $aFormData array variable and clean just that? Would that clean each of the posted values? I can clean each by $aFormData = stripslashes($aFormData['section_title']) and so on, but it just creates a huge block and don't think it is much needed. Basically, this is what the function is looking like so far... Code: function addSectionData ( $aFormData ) { if(get_magic_quotes_gpc()) { $secname = stripslashes( $_POST['secname'] ); $description = stripslashes( $_POST['description'] ); $ordering = stripslashes( int( $_POST['ordering'] ) ); $access = stripslashes( int($_POST['access'] ) ); $publishing = stripslashes( int($_POST['publishing'] ) ); } else { $secname = $_POST['secname']; $description = $_POST['description']; $ordering = $_POST['ordering']; $access = $_POST['access']; $publishing = $_POST['publishing']; } $password = md5( trim ( $aFormData['password'] ) ); // Query down here, not going to continue, not needed } I also plan to slap a mysql_real_escape_string (I made a new function to use instead, just to shorten the name) in the actual query. One final question... do I have to send the password through strip slashing as well? Thanks for your support :D