1

Possible Duplicate:
What are the best PHP input sanitizing functions?

A while back I found this, what I thought to be great, snippet in someones code to filter POST and GET data from injections. 

function filter($data) { //Filters data against security risks.
    $data = trim(htmlentities(strip_tags($data)));
    if(get_magic_quotes_gpc()) $data = stripslashes($data);
    $data = mysql_real_escape_string($data);
    return $data;
}
foreach($_GET as $key => $value) $filterGet[$key] = filter($value);
foreach($_POST as $key => $value) $filterPost[$key] = filter($value);

And I've been using it ever since. But today, while sending an array through ajax I got tons of errors. Most of them say strip_tags() expects parameter 1 to be string, array given in...

What the best way to filter data? All this data is going to a database. But what about cases where it isn't going to a database?

Community
  • 1
  • 1
Tyler Hughes
  • 582
  • 1
  • 9
  • 19

5 Answers5

3

Here is the function you need:

function filter($data) { //Filters data against security risks.
    if (is_array($data)) {
        foreach ($data as $key => $element) {
            $data[$key] = filter($element);
        }
    } else {
        $data = trim(htmlentities(strip_tags($data)));
        if(get_magic_quotes_gpc()) $data = stripslashes($data);
        $data = mysql_real_escape_string($data);
    }
    return $data;
}
Carlos
  • 4,949
  • 2
  • 20
  • 37
1

As clear by the error message, this is happening for cases where an array is passed via GET/POST. You can parse each value of the array for such cases.

foreach($_GET as $key => $value){
   if(is_array($value)){
       foreach($value as $val){
           $filterGet[$key][] = filter($val);
       }
   }
   else{
         $filterGet[$key] = filter($value);
   }
}
Karan Punamiya
  • 8,603
  • 1
  • 26
  • 26
0

What you should do is first check to see if $data is the correct format that you need it to be in. What you describe is that an array was passed into the $data parameter of your function, and PHP needs you to break it down into a string. Some extra logic is needed such as:

function filter($data) {
    if(is_array($data)) {
        foreach($data as $key => $value) {
            // Do stuff...
        }
    } else {
        // Do stuff...
    }
}
MLK.DEV
  • 453
  • 7
  • 31
0

You should check if the input is array. If so, loop it and strip tags for every array member, if not, then just strip tags for the input.

Glorious Kale
  • 1,273
  • 15
  • 25
0

you can use array_walk

<?php
function wsafe(&$value,$key)
{
    return safe($value);
}
function safe($value)
{
    if(is_array($value))
    {
        foreach($value as $key=>$val)
        {
            $value[safe($key)] = safe($val);
        }
    }
    else
    {
        $value = trim(htmlentities(strip_tags($value)));
        if(get_magic_quotes_gpc()) $value = stripslashes($value);
        $value = mysql_real_escape_string($value);
    }
}
array_walk($_POST,'wsafe');
array_walk($_GET,'wsafe');
Shahrokhian
  • 1,100
  • 13
  • 28