Posted by Rik on 05/07/06 14:39

zorro wrote:
> greetings...
>
> I'm wondering what more advanced coders would think ot this:
>
> $_POST['myvar'] = clean($_POST['myvar']);
>
> and now I can use POST directly:
>
> $sql= "select * from T1 where myvar='$_POST[myvar]' " ;
>
> function clean($var){
> return addslashes(trim($var)); // whatever
> }
>
> The reason I came up with this is because i often end up calling
> clean() several times on the same variable. So to avoid declaring a
> php variable for each posted one, I would use an array
>
> $arr['myvar']=clean($_POST['myvar'])) ;
> $arr['myvar2']=clean($_POST['myvar2'])) ;
>
> but since $_POST is already there, why not use it? The benefit is
> simpler code, but maybe there are some security issues - that's what I
> don't know.

My solution:
/* create array containing expected POST variables, al others are useless */
$expected = array('submit', 'text1' etc.);

foreach($expected as $var){
if(get_magic_quotes_gpc()){
$_POST[$var] = stripslashes($_POST[$var]);
}
$postvars[$var] = mysql_real_escape_string(trim($_POST[$var]));
}
And futher on I only use $postvars, $_POST is left alone.



If you just want to clean all POST variables:

foreach($_POST as $key => $value){
if(get_magic_quotes_gpc()){
$value = stripslashes($value);
}
$_POST[$key] = mysql_real_escape_string(trim($value));
}

Grtz,
--
Rik Wasmus

[Back to original message]