Reputation: 747
Merge these 2 similar php functions
As the title says Im wondering if these two similar functions can be merged into one:
This one sanitizes general inputs:
function sanitize($input)
{
if(get_magic_quotes_gpc() == true)
{
$input = stripslashes($input);
}
return htmlspecialchars($input);
}
and this one sanitizes inputs that update a database:
function sanitizeSQL($input)
{
if(get_magic_quotes_gpc() == true)
{
$input = stripslashes($input);
}
return mysql_real_escape_string(htmlspecialchars($input));
}
maybe with another if statement or something to add or remove the *mysql_real_escape_string()* ? just not sure how to go about it...
As usual all help is appreciated and thanks in advance.
Upvotes: 0
Views: 114
Answers (4)
Reputation: 51638
Let me suggest a different approach. You should either disable magic_quotes, or strip the slashes on all get/post/cookie data as early as possible, following example #2 here.
Don't make this part of your code for preparing HTML or SQL. That should be done separately, when you're actually building HTML documents or SQL statements. And at that point, all you need is htmlspecialchars for HTML, or mysql_real_escape_string for SQL.
Don't make the mistake of thinking there's a "general" sanitizing function that will work for all inputs. In fact, it's best not to think of it as sanitizing at all. Plain text is already plenty sanitary. What you're doing is simply escaping text for a particular output format (HTML, SQL, CSV, PDF, etc.). Each output format has a different escaping method, so there's no approach that will work for all of them. That's why magic_quotes is such a bad idea, and why it needs to be undone as soon as possible.
Upvotes: 0
Reputation: 1846
I would have sanitizeSQL call sanitize. No duplicate code but different function names.
function sanitizeSQL($input)
{
return mysql_real_esape_string(sanitize($input));
}
If you did want to only have 1 method to call, I would pass in a second parameter:
function sanitize($input, $forSql)
{
if(get_magic_quotes_gpc() == true)
{
$input = stripslashes($input);
}
$input = htmlspecialchars($input);
if($forSql == true)
{
$input = mysql_real_escape_string($input);
}
return $input.
}
Upvotes: 1
Reputation: 2678
function sanitizeBoth($input, $mysqlEscape)
{
if(get_magic_quotes_gpc() == true)
{
$input = stripslashes($input);
}
$return = htmlspecialchars($input);
if ($mysqlEscape){
$return = mysql_real_escape_string($return);
}
return $return;
}
$mysqlEscape is the switch: If it is true, it works as 'sanitizeSQL', if false as 'sanitize'.
Upvotes: 1
Reputation: 54729
Pretty simple to merge them.
function sanitize($input, $sql = false) { // $sql will default to false
if (get_magic_quotes_gpc() === true) $input = stripslashes($input);
$input = htmlspecialchars($input);
return ($sql === true ? mysql_real_escape_string($input) : $input);
}
We just add an $sql variable to say whether or not it needs to be sanitized for SQL.
Upvotes: 2
Related Questions
- How can i combine two function which returns same value
- Merging two very similar PHP functions into one
- Combining two functions together
- combine multiple functions to one function
- Combine two different PHP functions with the same subset of variables?
- combining PHP functions
- How to combine two internal PHP functions?
- combine/merge php functions
- combine/merge two php functions
- PHP - Merge Two Functions