–Simon

So this makes your code independent of the specific database, like when you want to switch from MySQL to PostgreSQL (which would be wise IMO

There is also a PDO::prepare() method that might be considered in this context.

I agree with you there (which is why I have that clean_int function described above – I also have an uncomfortable feeling about relying on quote_smart to do the quoting of string fields for me).

The programmer MUST know what the value is before s/he sends it off to the database, and what s/he’s trying to store. As a programmer, it’s a really good idea to think very carefully about what data you are likely to get entered, and what you’ll do if it’s not alright, and most importantly, how can you deal with this situation gracefully.

–Simon

I would instead have one to clean strings (clean_string( $value, $DB );) and a second one that handles integer based data. Use them when and where you need them.

Programmers should be careful and precise.

But, we need more articles that are thorough in the examples, well done.

–Simon

The htmlEntities strips all of the html content from the post and turns it into SAFE html codes. Users can try and post if they want, but when sent to the database, it is converted to <font color "e;blah"e;&gt and when printed from a database it would show as if they were simply characters instead of them trying to become html tags.

I find this a very effective way to eliminate attacks such as javascript or php hacks which would have to use

[php]
//You must already have an open mysql connection
//for this to work

mysql_connect(“localhost”,”user”,”pass”);
mysql_select_db(“database”);

// Quote variable to make safe
function quote_smart($value){
// Stripslashes
if ( get_magic_quotes_gpc() ){
$value = stripslashes( $value );
}
// Quote if not a number or a numeric string

/* I edited this area because I didn’t want this
function to automatically place single quotes for
me since I have done a lot of queries and I would have
to re do them all.
Replace with:
if(!is_numeric($value){
$value = “‘”.mysql_real_escape_string($value).”‘”;
}
if you prefer it.
*/
$value = mysql_real_escape_string($value);
return $value;
}

//Capture all of the post variables, and run their values
//through the function. I pased it through htmlentities too
//To stop people from posting html into you db. Remove if you wish.
if ($_POST) {
foreach (array_keys($_POST) as $var) {
${$var} = htmlentities(quote_smart(${$var}));
}
}
//Capture all of the post variables, and run their values
//through the function. I pased it through htmlentities too
//To stop people from posting html into you db. Remove if you wish.
if ($_GET) {
foreach (array_keys($_GET) as $var) {
${$var} = htmlentities(quote_smart(${$var}));
}
}
//Say you posted $inputField = “G’day folks!”
//it will automatically come out “G\’day folks!”
//No need to update any of your queries!
//Just include this file in a header on all
//the pages you want to protect
//Enjoy.
[/php]

Personally I wouldn’t store html-entity’ed data in the database, but have that as a last action before it’s displayed to the user (what if you don’t want html? what if there are other routes into your database?). But, your mileage may vary

–Simon

http://olar.getkilled.net/test2.txt

If I knew how your system here worked I would re post Perhaps you could do it for me on your site if my script seems sound