I am trying out a function from a book for the first time. I could use some help. It goes:

function sanitizeString($var)
{
    $var = stripslashes($var);
    $var = htmlentities($var);
    $var = strip_tags($var)'
    return $var;
}

I have two simple forms. One that asks for an email address and another that does fahrenheit-celsius conversions (interesting stuff, I know). I have been testing this sanitizeString function out and it doesn't seem to do anything. Any HTML, or slashes or anything I put in text fields are not stripped of any of the harmful stuff. The code in its entirety is:

<?php

$f = $c = "";

if (isset($_POST['f'])) $f = sanitizeString($_POST['f']);
if (isset($_POST['c'])) $c = sanitizeString($_POST['c']);

if ($f != '')
{
	$c = intval((5/9) * ($f - 32));
	$out = "$f equals $c c";
}
elseif ($c != '')
{
	$f = intval((5/9) * ($c + 32));
	$out = "$c c equals $f f";
}
else $out = "Please enter data in at least on field";

if (isset($_POST['email']))
	$email = sanitizeString($_POST['email']);
	
echo <<<_END
<html><head<title>Email & Temp Conv.</title>
</head><body>

<pre>
Enter fahrenheit or celsius and click convert

<b>$out</b>
<form method="post" action="formValidation.php">
Fahrenheit <input type="text" name="f" size="7" /><br />
   Celsius <input type="text" name="c" size="7" /><br />
   		   <input type="submit" value="Convert" /><br />
</form></pre>


<form method="post" action="formValidation.php">
Email <input type="text" name="email" />
	  <input type="submit" name="submit" value="Send" /><br />
	  <b>$email</b>
</form>

		</div>
       
    </div></body></html>
_END;

	
function sanitizeString($var)
{
        $var = stripslashes($var);
	$var = htmlentities($var);
	$var = strip_tags($var);
	return $var;
}
?>

Has anyone used methods like these? My expectation was that when I put in slashes or some HTML, it would be taken out. That doesn't seem to be happening. I'm in the middle of trying to put a site together with a searchable database and customers logging in and the whole shebang, so I would like to be able to have some security. Any help is much appreciated. Thanks in advance.

Recommended Answers

All 5 Replies

Read http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc
if that directive is enabled on your server and you typed/submitted the following:
O'Brian/O'Malley

then the server will auto-convert it to:
O\'Brian\/O\'Malley

then if you call stripslashes() it will change it back to what you originally typed:
O'Brian/O'Malley

notice that it removes only BACK slashes, not forward slashes.

Also, htmlentities() will first change <span>...</span> to &lt;span&gt; , but strip_tags() does NOT "understand" &lt;span&gt; . It will remove the tags only if they are "unencoded". So swap lines 53 and 54.

Read http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc
if that directive is enabled on your server and you typed/submitted the following:
O'Brian/O'Malley

then the server will auto-convert it to:
O\'Brian\/O\'Malley

then if you call stripslashes() it will change it back to what you originally typed:
O'Brian/O'Malley

notice that it removes only BACK slashes, not forward slashes.

Also, htmlentities() will first change <span>...</span> to &lt;span&gt; , but strip_tags() does NOT "understand" &lt;span&gt; . It will remove the tags only if they are "unencoded". So swap lines 53 and 54.

You're exactly right hielo. Thank you. You really can't trust what you read in textbooks.

You can use the function mysql_real_escape_string, Like this.

if (isset($_POST['f'])) $f = mysql_real_escape_string($_POST['f']);
if (isset($_POST['c'])) $c = mysql_real_escape_string($_POST['c']);

Member Avatar for diafol

As most people shold be aware, mysql_* functions have now been deprecated. In other words DO NOT use them. Use PDO or mysqli instead.

If you need to sanitize input before placing into a query, you'd be better to use a prepared statement and bind values/parameters. If you have no idea what this means - check out mysqli and PDO in the php.net manual.

So please, no more posts about mysql - especially if all they serve to do is disinter a 4 year old post, which seemed to have had a decent burial.

I would like to read about it anymore. Prompt, what literature to study?

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.