Snippets → PHP

Basic Data Securing

Submitted by Reda Bouchaala on June 1st, 2012

Secures every data available within the POST & GET From XSS & SQL injection.
of course to run the clean() function the script myst be connected to a database, in order for the mysql_real_escape_string() function to work
Usage:
Putting this snippet at the top of the page will do the job.
so we don’t have to add the clean function to evry single variable ouselves

// cleaning function
// of course. the script must be connected to a database.
function clean($data){ 
   return mysql_real_escape_string( htmlentities( $data ) );
}
// start filtering $_POST, $_GET and secure any data within
$data = array_merge($_POST, $_GET);
foreach( $data AS $key => $val )
{
   $data[ $key ] = clean( $val );
}

Comments (4) - Leave yours

AlcidesRC said: June 1, 2012 at 10:41 am

Hi,

If you are using PHP5 (>= 5.2.0) you can make use of Filter functions, specially this one: filter_var_array, that gets multiple variables and optionally filters them.

For more information, you can see the PHP reference guide: http://www.php.net/manual/en/function.filter-var-array.php

Regards

Reply
Jonathan said: June 4, 2012 at 6:14 pm

Some servers (with magic_quotes enabled) automatically addslashes the GET/POSTs so I advise using the following if you’re having that problem (otherwise you’d get double backslashes):

$val )
{
$data[ $key ] = clean( $val );
}
?>

Reply
- Jonathan said: June 4, 2012 at 6:16 pm
  
  Hmm… it didn’t let me post the PHP -__-
  
  Here it is: http://pastebin.com/CR5wTKWq
  
  Reply
simon said: April 8, 2013 at 10:08 pm

is this working? i tried it on my development server and nothing happened. the sql injections still gets through.

Reply

Comments (4) - Leave yours

Leave a Reply Cancel reply