0

I am trying out a function from a book for the first time. I could use some help. It goes:

function sanitizeString($var)
{
    $var = stripslashes($var);
    $var = htmlentities($var);
    $var = strip_tags($var)'
    return $var;
}

I have two simple forms. One that asks for an email address and another that does fahrenheit-celsius conversions (interesting stuff, I know). I have been testing this sanitizeString function out and it doesn't seem to do anything. Any HTML, or slashes or anything I put in text fields are not stripped of any of the harmful stuff. The code in its entirety is:

<?php

$f = $c = "";

if (isset($_POST['f'])) $f = sanitizeString($_POST['f']);
if (isset($_POST['c'])) $c = sanitizeString($_POST['c']);

if ($f != '')
{
	$c = intval((5/9) * ($f - 32));
	$out = "$f equals $c c";
}
elseif ($c != '')
{
	$f = intval((5/9) * ($c + 32));
	$out = "$c c equals $f f";
}
else $out = "Please enter data in at least on field";

if (isset($_POST['email']))
	$email = sanitizeString($_POST['email']);
	
echo <<<_END
<html><head<title>Email & Temp Conv.</title>
</head><body>

<pre>
Enter fahrenheit or celsius and click convert

<b>$out</b>
<form method="post" action="formValidation.php">
Fahrenheit <input type="text" name="f" size="7" /><br />
   Celsius <input type="text" name="c" size="7" /><br />
   		   <input type="submit" value="Convert" /><br />
</form></pre>


<form method="post" action="formValidation.php">
Email <input type="text" name="email" />
	  <input type="submit" name="submit" value="Send" /><br />
	  <b>$email</b>
</form>

		</div>
       
    </div></body></html>
_END;

	
function sanitizeString($var)
{
        $var = stripslashes($var);
	$var = htmlentities($var);
	$var = strip_tags($var);
	return $var;
}
?>

Has anyone used methods like these? My expectation was that when I put in slashes or some HTML, it would be taken out. That doesn't seem to be happening. I'm in the middle of trying to put a site together with a searchable database and customers logging in and the whole shebang, so I would like to be able to have some security. Any help is much appreciated. Thanks in advance.

5
Contributors
5
Replies
21
Views
6 Years
Discussion Span
Last Post by owlowl076
0

Read http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc
if that directive is enabled on your server and you typed/submitted the following:
O'Brian/O'Malley

then the server will auto-convert it to:
O\'Brian\/O\'Malley

then if you call stripslashes() it will change it back to what you originally typed:
O'Brian/O'Malley

notice that it removes only BACK slashes, not forward slashes.

Also, htmlentities() will first change <span>...</span> to &lt;span&gt; , but strip_tags() does NOT "understand" &lt;span&gt; . It will remove the tags only if they are "unencoded". So swap lines 53 and 54.

0

Read http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc
if that directive is enabled on your server and you typed/submitted the following:
O'Brian/O'Malley

then the server will auto-convert it to:
O\'Brian\/O\'Malley

then if you call stripslashes() it will change it back to what you originally typed:
O'Brian/O'Malley

notice that it removes only BACK slashes, not forward slashes.

Also, htmlentities() will first change <span>...</span> to &lt;span&gt; , but strip_tags() does NOT "understand" &lt;span&gt; . It will remove the tags only if they are "unencoded". So swap lines 53 and 54.

You're exactly right hielo. Thank you. You really can't trust what you read in textbooks.

0

You can use the function mysql_real_escape_string, Like this.

if (isset($_POST['f'])) $f = mysql_real_escape_string($_POST['f']);
if (isset($_POST['c'])) $c = mysql_real_escape_string($_POST['c']);

0

As most people shold be aware, mysql_* functions have now been deprecated. In other words DO NOT use them. Use PDO or mysqli instead.

If you need to sanitize input before placing into a query, you'd be better to use a prepared statement and bind values/parameters. If you have no idea what this means - check out mysqli and PDO in the php.net manual.

So please, no more posts about mysql - especially if all they serve to do is disinter a 4 year old post, which seemed to have had a decent burial.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.