String Cleaning Function

[Gate]

Make a function in your common includes file as such:

Code: Select all

<?php
//////////////////////////////////////////////////////
// Function: Secure_Input()
// Use: Secures input against SQL/Script injection
//////////////////////////////////////////////////////
function secure_input($input){
     $input = htmlentities($input);
     $input = mysql_real_escape_string($input);
     $input = strip_tags($input);
     return $input;
}
//////////////////////////////////////////////////////
// End - Secure_Input()
//////////////////////////////////////////////////////
?>

Example Code:

Code: Select all

<?php

$variable = $_POST['variable'];
$clean_variable = secure_input($variable);

?>

[Jackolantern]

Don't you need to either pass the parameter by reference, such as:

Code: Select all

function secure_input(&$input){  //added pass-by-reference symbol
     $input = htmlentities($input);
     $input = mysql_real_escape_string($input);
     $input = strip_tags($input);
}

...or return the value?

Code: Select all

function secure_input($input){
     $input = htmlentities($input);
     $input = mysql_real_escape_string($input);
     $input = strip_tags($input);
     return $input;
}

Otherwise $input will be a local copied-by-value variable and will simply go out of scope when the function returns without changing the underlying value of the variable passed into the function call.

[Gate]

Don't you need to either pass the parameter by reference, such as:

Code: Select all

function secure_input(&$input){  //added pass-by-reference symbol
     $input = htmlentities($input);
     $input = mysql_real_escape_string($input);
     $input = strip_tags($input);
}

I've only ever seen the passing of parameters by reference in a class, never seen much use of them in general and never seen there use in a professional web project, so i'll stick to my way for now

...or return the value?

Code: Select all

function secure_input($input){
     $input = htmlentities($input);
     $input = mysql_real_escape_string($input);
     $input = strip_tags($input);
     return $input;
}

Otherwise $input will be a local copied-by-value variable and will simply go out of scope when the function returns without changing the underlying value of the variable passed into the function call.

You don't actually need to return the value in the function for this code to work if the function is used as defined below, the variable does not lose scope.

Code: Select all

$input = secure_input($input);

although it is good practise to always have the return command in there, so thanks for pointing it out, edited the code to reflect the changes

[Jackolantern]

Don't you need to either pass the parameter by reference, such as:

Code: Select all

function secure_input(&$input){  //added pass-by-reference symbol
     $input = htmlentities($input);
     $input = mysql_real_escape_string($input);
     $input = strip_tags($input);
}

I've only ever seen the passing of parameters by reference in a class, never seen much use of them in general and never seen there use in a professional web project, so i'll stick to my way for now

You are right. Passing by reference is typically considered bad practice and should only be used for optimization, or when no other option exists, since it can introduce difficult-to-track bugs into the application.

...or return the value?

Code: Select all

function secure_input($input){
     $input = htmlentities($input);
     $input = mysql_real_escape_string($input);
     $input = strip_tags($input);
     return $input;
}

Otherwise $input will be a local copied-by-value variable and will simply go out of scope when the function returns without changing the underlying value of the variable passed into the function call.

You don't actually need to return the value in the function for this code to work if the function is used as defined below, the variable does not lose scope.

Code: Select all

$input = secure_input($input);

although it is good practise to always have the return command in there, so thanks for pointing it out, edited the code to reflect the changes

Hmm...I was curious about this since the PHP Manual says that the default behavior was pass-by-value. I tried out a function that simply re-assigned the string value once it was passed in, used the same variable name, and it didn't work. In fact, it didn't even have the initial, out-of-function value when I echo'd it, which was very odd. PHP has some really strange bits to it... lol

[Gate]

It seem's that the passing by reference symbols are PHP version's of pointers, where as pointer's in C++ actually have a use in referencing blocks of memory, PHP it seems to me, lacks any use with it's 'pointer' system in a web enviroment

[Jackolantern]

Yeah, it is just a hold-over from C/C++ for passing-by-reference. Most modern languages use the keyword "ref" in front of the parameter to signal a pass-by-reference rather than use the old C++ "&" symbol. As you mentioned, PHP does not have true pointer arithmetic or functionality, so it is kind of silly that they used it (particularly since it was added after Java changed the industry standard to using the "ref" keyword).

[Chris]

Memory saver:

Code: Select all

function secure_input($input)
{
     return htmlentities(mysql_real_escape_string(strip_tags($input)));
}
 

[Gate]

Memory saver:

Code: Select all

function secure_input($input)
{
     return htmlentities(mysql_real_escape_string(strip_tags($input)));
}
 

Rather go for clarity,good formatting and comments over saving maybe 2 bytes of memory. you should too!