Sanitizing GET/POST using a loop?

Question

Possible Duplicate:
The ultimate clean/secure function

When it comes to sanitizing POST/GET data could we just program a loop to go through all set variables in a universal php include file and never had to worry about it in code?

I have always done a function called sanitize to do this but this seems to make sense.

There is no such thing like "sanitization". Once you do something you call "sanitization" - you are doing something wrong and making your app vulnerable and/or unusable — Your Common Sense, Dec 10 '11 at 22:49

score 1 · Accepted Answer · answered Dec 10 '11 at 22:34

You may be better off creating a function in your application that would do it when needed. Then you'll still have the original posted values in case you need them and you can modify the function as needed based on what youre cleansing by passing it options. For example:

function getPostField($field)
{
    // all your sanitation and isset/empty checks
    $val = sanitize($_REQUEST[$field]);
    // ...
    return $val;
}

score 0 · Answer 2 · answered Dec 10 '11 at 22:31

0

Yes, of course. Some frameworks do this automatically and store the sanitized REQUEST variables in a different array or object, so the original data is still available should it ever be required.

answered Dec 10 '11 at 22:31

Tak

11,428
5
29
48

Should I have a seperate one for database/non-database? – Stephen Adrian Rathbone Dec 10 '11 at 22:34
1

I keep all database sanitization in my database class, so data is checked just before insertion/querying. – Tak Dec 10 '11 at 22:37
PHP had this feature once... it took ages to ban it from the language. – Your Common Sense Dec 10 '11 at 22:40

Sanitizing GET/POST using a loop?

2 Answers2