PHP SQL - Stripping harmful tags [newbie]

Author

Stripping harmful tags [newbie]

Gwen Morse

2004-11-15, 3:57 pm

I found what looks to be a useful snippet of php code to check for
harmful tags and strip them from a posted form arrayt.

However, it doesn't "work". Ir doesn't provide any useful error
messages, but, it also doesn't strip the tags.

Looking it over, it appears to step through each element in the array
and strip the tags, but, I don't see how it actually restores them to
the array once they're stripped.

The link where I originally found the snipped is in the comments.

Jennifer

////////////////////////////////
// This loop removed "dangerous" characters from the posted data
// and puts backslashes in front of characters that might cause
// problems in the database.
// From: http://www.awtrey.com/support/dbeweb/php.php
// Strip tags and escapeshellcmd in Beginning book (pg. 486)
////////////////////////////////
for(reset($HTTP_POST_VARS);
$key=key($HTTP_POST_VARS);
next($HTTP_POST_VARS)) {
$this = addslashes($HTTP_POST_VARS[$key]);
$this = strtr($this, ">", " ");
$this = strtr($this, "<", " ");
$this = strtr($this, "|", " ");
$this = strip_tags($this);
$this = escapeshellcmd($this);
$$key = $this;
}

Hilarion

2004-11-15, 3:57 pm

Hi

This code gets input from $HTTP_POST_VARS but puts output in corresponding
variables, eg. takes from $HTTP_POST_VARS['some_var'] and puts in $some_var.
Better way to do this task is to use functions like mysql_escape_string or
mysql_real_escape_string (for MySQL, other databases usually have different
special chars, or they are escaped differently, and they may provide parameters,
which are better and safer than direct embeding data in SQL statements) and
htmlspecialchars (I suggest using this when displaing user provided data, not when
storing it).

Hilarion

Sponsored Links