Posted by John Murtari on 09/10/07 17:29

John <John_nospam@nnnnnnnnn.nowhere> writes:

>>>> I would do some validation of the POST data before sending possibly
> malicious data to myself.
>
Below is a function I wrote a while back to screen
all input data for scripts. Part of it came out of a book
and part was home brewed. It assumes magic quotes are OFF
and register globals is OFF.
Frankly, I look at it now and I'm not sure all of it makes
sense -- although I must have had a reason at the time!

If you have a user form being submitted that contains a text
field called "NAME", the usage would be

$name = script_param("NAME");

FEEDBACK is welcome.
John

--------------------------
// This function takes a parameter name and checks both GET
// and POST arrays to find the parameter value.
function script_param ($name) {

global $HTTP_GET_VARS, $HTTP_POST_VARS;

unset ($val);
if (isset ($_GET[$name])) {
$val = $_GET[$name];
$val = stripcslashes($val);

} else if (isset ($_POST[$name])) {
$val = $_POST[$name];

if (is_string($val)) {
$val = mysql_real_escape_string($val);
}

} else if (isset ($HTTP_GET_VARS[$name])) {
$val = $HTTP_GET_VARS[$name];
$val = stripcslashes($val);

} else if (isset ($HTTP_POST_VARS[$name])) {
$val = $HTTP_POST_VARS[$name];

if (is_string($val)) {
$val = mysql_real_escape_string($val);
}

}

$value = @trim($val);
$value = htmlspecialchars($value);

// return @$val rather than $val to prevent "undefined value"
// messages in case $val is unset and warnings are enabled
return (@$value);
}

--
John
___________________________________________________________________
John Murtari Software Workshop Inc.
jmurtari@following domain 315.635-1968(x-211) "TheBook.Com" (TM)
http://thebook.com/

[Back to original message]