-2

When i give form value to this function, always, an empty string returns.

<?php
function safeinput($data)
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    $data = mysql_real_escape_string($data);
    return $data;
}
?>

Is there another way to secure inputs? note : Operations done under joomla

Gumbo
  • 643,351
  • 109
  • 780
  • 844
user2102266
  • 539
  • 3
  • 14
  • 1
    Did you connect to a database before you called `mysql_real_escape_string`? – Musa Mar 15 '14 at 02:34
  • 1
    you need to pass a connection to the function and pass is to mysql_real_escape_string. The resource is out of scope, even if you have one open. – Bryan Mar 15 '14 at 02:36
  • It would be better to use a database class – Popnoodles Mar 15 '14 at 02:37
  • Duplicate of http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php – Your Common Sense Mar 15 '14 at 05:28
  • Why are you `mysql_real_escape_string` when you have a perfectly good API to help you? You do also realise this `mysql_*` is deprercated – Lodder Mar 15 '14 at 10:14
  • @Lodder is totally right, why in the world would you be doing any filtering like this inside Joomla? THe point of using a framework is to use the framework. Even if you are not using JForm use JFilterInput(). – Elin Mar 15 '14 at 12:36

1 Answers1

1

The best way is the ensure you are limiting you input based on expected value types. You can refer this

docs.joomla.org/J1.5:Retrieving_and_Filtering_GET_and_POST_requests_with_JRequest::getVar

or

http://api.joomla.org/cms-2.5/classes/JRequest.html

possible filters are

  • INT
  • INTEGER
  • FLOAT
  • DOUBLE
  • BOOL
  • BOOLEAN
  • WORD
  • ALNUM
  • CMD
  • BASE64
  • STRING
  • ARRAY
  • PATH
  • USERNAME

the you can escape the data using.

    $db= JFactory::getDbo();
    $db->getEscaped($data);

http://api.joomla.org/cms-2.5/classes/JDatabase.html#method_getEscaped

Dedan Irungu
  • 61
  • 2
  • 6