CrackFeed.Com
Account Closed
- Impact
- 12
Ok this is a common function for cleaning user posted data. I have seen many people's code here, and data cleaning seems to not be getting done.
For data being inserted into sql, call this after a mysql connection is opened:
If not being inserted into mysql:
This has worked for me for a loooooong time. There are many other things you can do, but I wanted to keep this simple. I consider these examples to be the BARE MINIMUM of what you should be using.
To properly call:
Use this on cookies, sessions, get and post.
*As seen in php arcade, I jumped on their butts and told them to start validating data and now they use this too.
Oh btw, to those using it.... addslashes() = worthless. Do NOT trust it.
For data being inserted into sql, call this after a mysql connection is opened:
PHP:
if (!function_exists('clean')) {
function clean($value) {
// I clean the string up when my function is called.
$search = array('javascript:',
'document.location',
'vbscript:',
'?php');
$value = str_replace($search, '_', $value);
$value = mysql_real_escape_string(strip_tags(trim($value)));
return $value;
}
}
if (!function_exists('vdata')) {
function vdata($value) {
if (get_magic_quotes_gpc()) {
//if the dope has magic quotes on, strip them
$value = stripslashes($value);
}
if (!is_numeric($value) || $value[0] == '0') {
// now do the cleaning
$value = clean($value);
}
return $value;
}
}
If not being inserted into mysql:
PHP:
if (!function_exists('cleanLite')) {
function cleanLite($value) {
// I clean the string up when my function is called.
$search = array('javascript:',
'document.location',
'vbscript:',
'?php');
$value = str_replace($search, '_', $value);
$value = htmlspecialchars(strip_tags(trim($value)));
return $value;
}
}
if (!function_exists('vdataLite')) {
function vdataLite($value) {
if (get_magic_quotes_gpc()) {
//If the dope has magic quotes on, strip them
//Not inserting into sql, but still cleaning the backslashes
$value = stripslashes($value);
}
if (!is_numeric($value) || $value[0] == '0') {
// now do the cleaning
$value = cleanLite($value);
}
return $value;
}
}
This has worked for me for a loooooong time. There are many other things you can do, but I wanted to keep this simple. I consider these examples to be the BARE MINIMUM of what you should be using.
To properly call:
PHP:
$username = vdata($_POST['username']);
// or:
$username = vdataLite($_POST['username']);
Use this on cookies, sessions, get and post.
*As seen in php arcade, I jumped on their butts and told them to start validating data and now they use this too.
Oh btw, to those using it.... addslashes() = worthless. Do NOT trust it.
Last edited: