0

I just stumbled on this neat bit of code to filter $_POST data quickly:

$post=array_map("filter_data",$_POST);

I've updated it to the new version (after PHP 5.2) and I've got

$post=array_map("filter_var",$_POST,array(516));  // 516 == 'unsafe_raw'

Now I'm paranoid; this seems too easy. So

  • Should I not do this for all post data? (shifty nervous eyes)
  • Is unsafe_raw the correct filter for generic post, get, or cookie data?

I should add I'm just trying for a general sanitizer, mainly to remove SQL injections. If I have an email address or something I can filter again later. Any ideas / suggestions / horrified stares?

Improve this question
0

1 Answer 1

Reset to default
2

To avoid SQL injection, always use the appropriate functions for your database just before plugging the value into the query string, e.g. mysql_real_escape_string. A general filter not specific to your database doesn't guarantee anything and will probably only filter too much.

For anything else, like email validation, use the specific filter on the specific variable that holds the email address.

Also, use the constant FILTER_UNSAFE_RAW, not its numeric value.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

OK. I've got an adodb layer that does the filtering at the class level. Thanks for the tips.
(For those of you reading this later, I've moved past adodb, and now strongly recommend PHP's PDO tools, which do the same, but are build in to PHP.)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.