Alternative to addslashes - Webmaster Forum - Web Design, Programming and SEO forums

12-31-2007, 04:37 PM

phpintheusa

Status: I'm new around here
Join date: Dec 2007
Location: Tennessee
Expertise:
Software:

Posts: 20

iTrader: 0 / 0%

phpintheusa is on a distinguished road

Alternative to addslashes

I noticed that a lot of people are relying soley on addslashes() with validating user posted data in php. I recommend using something like this instead, this will help prevent sql injections more thoroughly and cross site scripting.

Code:

function validateit($value) {
	$value = str_replace('javascript:', '_', $value);
	$value = str_replace('document.location', '_', $value);
	$value = str_replace('vbscript:', '_', $value);
	$value = str_replace('<marquee', '_', $value);
	$value = str_replace('<script', '_', $value);
	$value = str_replace('?php', '_', $value);
	$value = mysql_real_escape_string(strip_tags(htmlentities(trim($value))));
	return $value;
}

12-31-2007, 04:59 PM

Salathe

Status: Community Archaeologist
Join date: Jul 2004
Location: Scotland
Expertise: Software Development
Software: vim, PHP

Posts: 3,820

iTrader: 25 / 100%

Salathe will become famous soon enough

This post will likely come off as snobish and/or know-it-all, but that's not the intention! If people are relying (or using) addslashes for validation of any data then they're not validating at all. All that addslashes does is escape a string, nothing more. It certainly doesn't validate anything.

There are a plethora of techniques in common, and not so common, use to help prevent various forms of injection and/or XSS attacks and it isn't the purpose of my post to provide an overview of those.

Your own function does two separate things which I, personally, don't like to mix like this. A series of filters are applied to the string ($value) with str_replace/trim/strip_tags and you escape what's left over with mysql_real_escape_string/htmlentities. There's an old (I've no idea how old or from whence it came) programming adage: filter input, escape output. You're doing both with this function! I wouldn't advise escaping strings going into the database with anything other than mysql_real_escape_string. That function simply being used to enable storage of the string without any problems.

On a side note, you can pass an array into one (two, or all) of the first three parameters (the fourth being optional integer, count) of str_replace to make life easier. You could rewrite the first six lines within the function to be:

PHP Code:


			
$search = array('javascript:', 

                'document.location',

                'vbscript:',

                '<marquee',

                '<script',

                '?php');

$value = str_replace($search, '_', $value);

The idea being, why do the job six times when you can do six things at once.

12-31-2007, 05:05 PM

phpintheusa

Status: I'm new around here
Join date: Dec 2007
Location: Tennessee
Expertise:
Software:

Posts: 20

iTrader: 0 / 0%

phpintheusa is on a distinguished road

I stand corrected

Was just a quick example I thought of, you had great points however!

01-01-2008, 12:43 AM

phpintheusa

Status: I'm new around here
Join date: Dec 2007
Location: Tennessee
Expertise:
Software:

Posts: 20

iTrader: 0 / 0%

phpintheusa is on a distinguished road

I mixed yours (from your blog) and mine, I like this:

Code:

function clean($value) {
	// I clean the string up when my function is called.
	$search = array('javascript:',  
	                'document.location', 
	                'vbscript:', 
	                '<marquee', 
	                '<script', 
	                '?php'); 
	$value = str_replace($search, '_', $value); 
	$value = mysql_real_escape_string(strip_tags(trim($value)));
	return $value;
}
function vdata($value) {
	if (get_magic_quotes_gpc()) {
		//if the dope has magic quotes on, strip them
		$value = stripslashes($value);
	}
	if (!is_numeric($value) || $value[0] == '0') {
		// now do the cleaning
		$value = clean($value);
	}
	return $value;
}

Then just call like this:

Code:

$value = vdata($_POST['value']);