Escape de datos de formulario

Question

Escape de datos de formulario

I'm having a bit of a problem with escaping data, or at least, the cleanliness of the code involved with it.

Let's say, I'm escaping a textfield named "FirstName" and it looks something like this:

$FirstName = mysqli_real_escape_string($link, $_POST['FirstName']);
$FirstName = preg_replace( "/[<>#$%]/", "", $FirstName);
$FirstName = preg_replace('/\s\s+/', ' ', $FirstName);

Is there anyway I can just put the last 2 lines in some sort of loop, let's say like this:

foreach($_POST as $name => $value)
{
    $value = preg_replace( "/[<>#$%]/", "", $value);
    $value = preg_replace('/\s\s+/', ' ', $value);
}

where then all I have to do later is

$FirstName = mysqli_real_escape_string($link, $_POST['FirstName']);

where $_POST['FirstName'] has already been stripped of the other characters?

preguntado el 25 de agosto de 12 a las 03:08

Galway

1 Respuestas

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas php security escaping or haz tu propia pregunta.

Lusitanian · Accepted Answer

2

Sure. Make the foreach loop by-reference instead of by-value like so:

foreach($_POST as $name => &$value)
{
    $value = preg_replace( "/[<>#$%]/", "", $value);
    $value = preg_replace('/\s\s+/', ' ', $value);
}

Note the ampersand in front of the $value. Eso significa el $value you get as you iterate over the array is a referencia to the value in the array itself rather than a copy of that value.

Respondido 25 ago 12, 03:08

Lusitanian

Actually, after a day of testing this, it seems to have a problem. Let's say I have 3 POSTS being submitted. Name, email, then phonenumber. Your solution gives the last of the POSTs submitted the value of the second last POST. In this case, it gives phonenumber the value of email. Any thoughts? - Galway