Posted by kenoli on 04/09/07 00:26

In addition to validating post input to see if it has been entered or
confroms to a regular expression, I am interested in secure ways to
efficiently process incomiing form data.

I use a function to process this data, namely:

function escape_data ($data) {

if (ini_get('magic_quotes_gpc')) {
$data = stripslashes($data);
}
return mysql_real_escape_string(strip_tags(trim(urldecode($data))));
}

It's tempting to apply it to all incoming data at once, like this:

foreach($_POST as $key => $value) {
global $$key;
$$key = escape_data($value);

}

Of course this introduces the well known vulnerability of putting the
data into variables that can be modified.

Another way to do this is to put the data in an array, like this:

foreach($_POST as $key => $value) {
global $input;
$input[$key] = escape_data($value);

}

This has the advantage that I can use implode() to create strings that
can be applied to a database query.

However, it includes all post variables, including data I dont' intend
to insert in my database so I can be selective about what form
elements I include like this:

function ($namelist) {

for each ($namelist as $formdata) {
if (!empty($_POST[$formdata]) {
global $formdata;
$formdata[] = escape_data($_POST[$formdata]);
}
}
}

$namelist being an array of the names of the form elements I want to
extract for my query.

I'm interested on people's reflections on the security of these
methods as well as other comments and suggestions for other
approaches.

Thanks.

--Kenoli

[Back to original message]