Class Securing

[bladewolf2010]

I'm curious about doing security via class function. Any idea's on it?

<?php

class clean

{

function post($text)

{

$text = isset($text);

$text = mysql_real_escape_string($text);

$text = htmlspecialchars($text, ENT_QUOTES);

$text = strip_tags($text);

return ($text);

}

}

?>

[HauntedDawg]

Well, it depends how in depth you really want to go with your "Clean"ing class.

For just a general clean one function like you demonstrated. Then making it an objective is not really a smart idea.

Very useful if you want to do various cleans and checks on each and every string that get's passed through and passed out (remember to have an output function to remove those nasty </> tags and the \s).

[Djkanna]

Well it would make sense to do it, providing there wasn't only one single method within your class.

[0xCuRL]

The class is currently doing nothing.

You should remove isset, htmlspecialchars and strip_tags.

A function like this would be much better, in my opinion.

 

function escape( $data ) {
if (is_null($data))
	return "NULL";

if (is_bool($data))
	return $data ? 1 : 0;

if (is_string($data))
{
	if (get_magic_quotes_gpc()) // alot of shared hosts still have magic quotes enabled.
		$data = stripslashes($data);

	return mysql_real_escape_string($data, [Database Link]);
}

return $data;
}

 

You should only really escape data going into the database, then use htmlspecialchars/htmlentities on output otherwise your going to-do it twice once going into the database and again on output. Which means using htmlspecialchars/htmlentities on input to the database, your going to have a lot more characters in the database. You can use strip_tags, but then again your users are going to wonder what is going on.

[a_bertrand]

Why bother with something like that instead of jumping on MySQLi and pass the values as arguments / parameters. You will not have any security issues anymore for your SQL. Seems a much smarter idea to me.