$_POST Array and Cleaning

$_POST Array and Cleaning

am 21.01.2008 03:22:07 von Nihilism Machine

I'm trying to create a function that will first take an array of
$_POSTs and give them key/value pairs like variables. For instance, if
i had $_POST['whatever'] = "whatever", that would be made into
$whatever = "whatever", then i can clean for sql injection and xss.
any ideas here?

- e

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: $_POST Array and Cleaning

am 21.01.2008 03:25:50 von Nathan Nobbe

------=_Part_10473_18723610.1200882350110
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On Jan 20, 2008 9:22 PM, nihilism machine wrote:

> I'm trying to create a function that will first take an array of
> $_POSTs and give them key/value pairs like variables. For instance, if
> i had $_POST['whatever'] = "whatever", that would be made into
> $whatever = "whatever", then i can clean for sql injection and xss.
> any ideas here?
>

foreach($_POST as $curPostKey => $curPostVal) {
cleanPost($curPostKey); // <-- todo: implement me
$$curPostKey = $curPostVal;
}

-nathan

------=_Part_10473_18723610.1200882350110--

Re: $_POST Array and Cleaning

am 22.01.2008 11:12:04 von Manuel Vacelet

On Jan 21, 2008 3:22 AM, nihilism machine wrote:
> I'm trying to create a function that will first take an array of
> $_POSTs and give them key/value pairs like variables. For instance, if
> i had $_POST['whatever'] = "whatever", that would be made into
> $whatever = "whatever", then i can clean for sql injection and xss.
> any ideas here?

Consider usage of a 3rd party lib like Inspekt:
http://code.google.com/p/inspekt/

-- Manuel

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: $_POST Array and Cleaning

am 22.01.2008 11:19:01 von Mike

> On Jan 21, 2008 3:22 AM, nihilism machine wrote:
> > I'm trying to create a function that will first take an array of
> > $_POSTs and give them key/value pairs like variables. For instance, if
> > i had $_POST['whatever'] = "whatever", that would be made into
> > $whatever = "whatever", then i can clean for sql injection and xss.
> > any ideas here?

i use a combination of php.net/filter, bounds checking for
integers/etc, appropriate text escaping (i.e. like
mysql_escape_string) prior to any db queries with text data,
intval($var) on anything needing to be converted to integer (although
filter will do that for you too)

also - suhosin might help with some things. i run both the patch and the module.

> Consider usage of a 3rd party lib like Inspekt:
> http://code.google.com/p/inspekt/

i'll look at this too, thanks

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php