|
Posted by John Murtari on 09/10/07 17:29
John <John_nospam@nnnnnnnnn.nowhere> writes:
>>>> I would do some validation of the POST data before sending possibly
> malicious data to myself.
>
Below is a function I wrote a while back to screen
all input data for scripts. Part of it came out of a book
and part was home brewed. It assumes magic quotes are OFF
and register globals is OFF.
Frankly, I look at it now and I'm not sure all of it makes
sense -- although I must have had a reason at the time!
If you have a user form being submitted that contains a text
field called "NAME", the usage would be
$name = script_param("NAME");
FEEDBACK is welcome.
John
--------------------------
// This function takes a parameter name and checks both GET
// and POST arrays to find the parameter value.
function script_param ($name) {
global $HTTP_GET_VARS, $HTTP_POST_VARS;
unset ($val);
if (isset ($_GET[$name])) {
$val = $_GET[$name];
$val = stripcslashes($val);
} else if (isset ($_POST[$name])) {
$val = $_POST[$name];
if (is_string($val)) {
$val = mysql_real_escape_string($val);
}
} else if (isset ($HTTP_GET_VARS[$name])) {
$val = $HTTP_GET_VARS[$name];
$val = stripcslashes($val);
} else if (isset ($HTTP_POST_VARS[$name])) {
$val = $HTTP_POST_VARS[$name];
if (is_string($val)) {
$val = mysql_real_escape_string($val);
}
}
$value = @trim($val);
$value = htmlspecialchars($value);
// return @$val rather than $val to prevent "undefined value"
// messages in case $val is unset and warnings are enabled
return (@$value);
}
--
John
___________________________________________________________________
John Murtari Software Workshop Inc.
jmurtari@following domain 315.635-1968(x-211) "TheBook.Com" (TM)
http://thebook.com/
Navigation:
[Reply to this message]
|