Cleaning data before entering database question

Killswitch · 12-23-2007, 10:45 PM

Hello all, I know what to use to clean data before sending it to the database, but have a question about whether this would work out or not...

I am using XAJAX to send all form values in an array to a function which enters the database and returns a success message. Instead of checking if magic quotes is on or off, and cleaning each post individually based upon that, is it safe to run a foreach on the $aFormData array variable and clean just that? Would that clean each of the posted values?

I can clean each by $aFormData = stripslashes($aFormData['section_title']) and so on, but it just creates a huge block and don't think it is much needed.

Basically, this is what the function is looking like so far...

Code:

function addSectionData ( $aFormData ) {

	if(get_magic_quotes_gpc()) {
        	$secname        = stripslashes( $_POST['secname'] );
        	$description    = stripslashes( $_POST['description'] );
		$ordering       = stripslashes( int( $_POST['ordering'] ) );
		$access         = stripslashes( int($_POST['access'] ) );
		$publishing     = stripslashes( int($_POST['publishing'] ) );
        } else {
        	$secname        = $_POST['secname'];
        	$description    = $_POST['description'];
		$ordering       = $_POST['ordering'];
		$access         = $_POST['access'];
		$publishing     = $_POST['publishing'];
        }

	$password = md5( trim ( $aFormData['password'] ) );	
// Query down here, not going to continue, not needed
}

I also plan to slap a mysql_real_escape_string (I made a new function to use instead, just to shorten the name) in the actual query.

One final question... do I have to send the password through strip slashing as well?

Thanks for your support :D

Wildhoney · 12-24-2007, 01:26 AM

In its simplest form you could do the following:

php Code:

$_GET = array_map('strip_tags', $_GET);

Although a foreach loop is also perfectly acceptable. Anything that gets rid of the many lines you currently have is a plus.

trs21219 · 12-24-2007, 01:29 AM

it wont matter if the password is cleaned because it is encrypted and it cant harm when its not executable

Killswitch · 12-24-2007, 01:48 AM

Thanks for your replies. I figured it would be fine, but wasn't quite sure. Didn't think of trying array_map, haven't used it in any of my scripts before.

Edit - Im not sure if I would be able to use $_GET. I read something at the XAJAX site about not being able to access the data with $_GET for some reason or another.

Wildhoney · 12-24-2007, 02:17 AM

$_POST works exactly the same in array_map, so you can simply drop POST in instead of GET and have it working perfectly! And if you're feeling really clever, you could do both

!

Tanax · 12-24-2007, 08:54 AM

You could also use FILTER_INPUT_ARRAY

PHP: filter_input_array - Manual

ReSpawN · 12-24-2007, 03:52 PM

I'm gonna go with the array_map function. The FILTER_INPUT_ARRAY takes a little bit too much reading and understanding if you ask me. array_map() in this case, is a lot more safe, easier and faster.

Tanax · 12-24-2007, 10:29 PM

Quote:

Originally Posted by ReSpawN

I'm gonna go with the array_map function. The FILTER_INPUT_ARRAY takes a little bit too much reading and understanding if you ask me. array_map() in this case, is a lot more safe, easier and faster.

Ofcourse, it's your choice

Also, you should use mysql_real_escape_string, like you've already mentioned..