3

I've been running and developed a classified site now for the last 8 months and all the bugs were due to only one reason: how the users input their text...

My question is: Is there a php class, a plugin, something that I can do

$str = UltimateClean($str) before sending $str to my sql??

PS. I also noticed the problems doubled when i started using JSON, because I also have to be careful outputting the result in JSON..

Some issues I faced: multi-language strings (different charsets), copy-paste from Excel sheets.
Note: I am not worried for SQL Injections.

Kzqai
  • 22,588
  • 25
  • 105
  • 137
Francesco
  • 24,839
  • 29
  • 105
  • 152
  • possible duplicate of [Is this a safe/strong input sanitization function?](http://stackoverflow.com/questions/3597412/is-this-a-safe-strong-input-sanitization-function) or [Is htmlentities() and mysql_real_escape_string() enough for cleaning user input in PHP?](http://stackoverflow.com/questions/4632663/is-htmlentities-and-mysql-real-escape-string-enough-for-cleaning-user-input) or any of the other [search results](http://stackoverflow.com/search?q=php%20general%20escaping%20function). Your JSON inquiry needs elaboration. – mario Oct 18 '11 at 17:00

1 Answers1

14

No, there isn't.

Different modes of escaping are for different purposes. You cannot universally escape something.

For Databases: Use PDO with prepared queries

For HTML: Use htmlspecialchars()

For JSON: json_encode() handles this for you

For character sets: You should be using UTF-8 on your page. Do this, and set your databases accordingly, and watch those issues disappear.

Brad
  • 159,648
  • 54
  • 349
  • 530
  • perhaps also, consider a library like ckeditor etc. for text input. These can help handle the paste-from-word scenario, BUT it is client-side. – horatio Oct 18 '11 at 17:06
  • I think I said "help" and anyway, JSON implies client-side, and the OP suggests that user input is part of the issue. – horatio Oct 18 '11 at 17:10
  • 3
    +1 for "You cannot universally escape something". If you feel the need for "universal escaping", you're probably escaping your input too early, or reusing escaped data for a purpose that it wasn't meant for. –  Oct 18 '11 at 17:21