Reputation: 9265
filter get and post values
I call my main page framework_ui.php in it I require auth.php where I have a filter function.
function filter($data)
{
// normalize $data because of get_magic_quotes_gpc
$dataNeedsStripSlashes = get_magic_quotes_gpc();
if ($dataNeedsStripSlashes) {
$data = stripslashes($data);
}
// normalize $data because of whitespace on beginning and end
$data = trim($data);
// strip tags
$data = strip_tags($data);
// replace characters with their HTML entitites
$data = htmlentities($data);
// mysql escape string
$data = mysql_real_escape_string($data);
return $data;
}
and on every page with get and post variables I do a: (and call my framework.php)
// filter GET values
foreach ($_GET as $key => $value) {
$get[$key] = filter($value);
}
// filter post
foreach ($_POST as $key => $value) {
$post[$key] = filter($value);
}
Will the function still operate properly if I make the above a function and call that instead on every page?
function filter_all() {
// filter GET values
foreach ($_GET as $key => $value) {
$get[$key] = filter($value);
}
// filter post
foreach ($_POST as $key => $value) {
$post[$key] = filter($value);
}
}
I understand this is not the most secure way, however I was wondering if this sort of thing was possible and wouldn't negatively effect my code.
Upvotes: 0
Views: 4145
Answers (2)
Reputation: 69681
You just have to make some tweaks to ensure the 'filtered' values are available to the rest of your code. There are a couple of ways to do it, marking them as global or returning them; probly the second option is generally considered cleaner. Here's an example:
function filter_all() {
$get = array();
$post = array();
// filter GET values
foreach ($_GET as $key => $value) {
$get[$key] = filter($value);
}
// filter post
foreach ($_POST as $key => $value) {
$post[$key] = filter($value);
}
return array(
'get' => $get,
'post' => $post);
}
$aFilteredInput = filter_all();
$get = $aFilteredInput['post'];
$post = $aFilteredInput['post'];
Upvotes: 1
Reputation: 10547
Your filter_all() function returns nothing and it does not modify the $_GET and $_POST globals so after your function finishes to run those original variables your foreach looping through will be effectively the same. You should either manipulate $_GET/$_POST directly or global $get/$post if you plan on using them or return some combination of the two. Other than that there's nothing necessarily negative about what your planning to do.
If you are going to be doing this every time might as well not make a function and just include a file (like your framework_ui.php) which just does the loopage and filters the variables.
zerkms is correct though your filter function is not ideal in that it is not secure and in fact that mysql_real_escape_string will cause issues if you plan on re-displaying user submitted info back (among many other things).
To quote the OWASP ESAPI project page:
Don't write your own security controls! Reinventing the wheel when it comes to developing security controls for every web application or web service leads to wasted time and massive security holes. The OWASP Enterprise Security API (ESAPI) Toolkits help software developers guard against security‐related design and implementation flaws. http://code.google.com/p/owasp-esapi-php/
Upvotes: 2
Related Questions
- PHP 'get's' data without $_GET?
- How to check for both POST and GET data whilst using filter_input?
- How to filter data in an array with a set of criteria from $_GET
- PHP: Filter an array with a GET parameter
- $_POST and $_GET
- Convert GET into POST
- Grabbing QUERY values .. using GET
- POST instead of GET parameter
- filter all get/post and use some information
- Filters vs $_POST (or $_GET)