bladewolf2010 Posted September 2, 2012 Share Posted September 2, 2012 I'm curious about doing security via class function. Any idea's on it? <?php class clean { function post($text) { $text = isset($text); $text = mysql_real_escape_string($text); $text = htmlspecialchars($text, ENT_QUOTES); $text = strip_tags($text); return ($text); } } ?> Quote Link to comment Share on other sites More sharing options...
HauntedDawg Posted September 2, 2012 Share Posted September 2, 2012 Well, it depends how in depth you really want to go with your "Clean"ing class. For just a general clean one function like you demonstrated. Then making it an objective is not really a smart idea. Very useful if you want to do various cleans and checks on each and every string that get's passed through and passed out (remember to have an output function to remove those nasty </> tags and the \s). Quote Link to comment Share on other sites More sharing options...
Djkanna Posted September 2, 2012 Share Posted September 2, 2012 Well it would make sense to do it, providing there wasn't only one single method within your class. Quote Link to comment Share on other sites More sharing options...
0xCuRL Posted September 3, 2012 Share Posted September 3, 2012 The class is currently doing nothing. You should remove isset, htmlspecialchars and strip_tags. A function like this would be much better, in my opinion. function escape( $data ) { if (is_null($data)) return "NULL"; if (is_bool($data)) return $data ? 1 : 0; if (is_string($data)) { if (get_magic_quotes_gpc()) // alot of shared hosts still have magic quotes enabled. $data = stripslashes($data); return mysql_real_escape_string($data, [Database Link]); } return $data; } You should only really escape data going into the database, then use htmlspecialchars/htmlentities on output otherwise your going to-do it twice once going into the database and again on output. Which means using htmlspecialchars/htmlentities on input to the database, your going to have a lot more characters in the database. You can use strip_tags, but then again your users are going to wonder what is going on. Quote Link to comment Share on other sites More sharing options...
a_bertrand Posted September 3, 2012 Share Posted September 3, 2012 Why bother with something like that instead of jumping on MySQLi and pass the values as arguments / parameters. You will not have any security issues anymore for your SQL. Seems a much smarter idea to me. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.