Icy Phoenix

English Chit Chat - More Questions About Sanitizing?

mort [ Mon 24 Nov, 2014 11:48 ]
Post subject: More Questions About Sanitizing?

Hey fella's,

I'm sure I read somewhere that this abs((int) is deprecated

Code: [Hide] [Select]

$userid = abs((int) $_POST['userid']);

Would this be its replacement?

Code: [Hide] [Select]

$userid = intval($_POST['userid']);

And things like these, do they need to be protected?

flag ID is an int
The rest are either names or files?

Code: [Hide] [Select]

$flagID = $row['flag_id'];

$flag_name = $row['flag_name'];

$flag_image = $row['flag_image'];

$template_name = $row['template_name'];

$style_name = $row['style_name'];

So what's the go - Do they all need to be done with either intval( for integers and either mysql_real_escape_string( for the names and files or is something else more appropriate for the names and files?

Informpro [ Mon 24 Nov, 2014 12:55 ]
Post subject: Re: More Questions About Sanitizing?

If that's related to IP (or phpBB3), you should use request_var.

It uses the second argument's type to coerce the value. For example, `request_var('foo', 0)` will always return an integer, because "0" is an integer

mort [ Mon 24 Nov, 2014 22:30 ]
Post subject: Re: More Questions About Sanitizing?

Thank you my friend, but no, it's not for IP or phpBB - It's that games script that I've decided to go back to and clean it up some.

Informpro [ Mon 24 Nov, 2014 22:57 ]
Post subject: Re: More Questions About Sanitizing?

Alright, fair enough -- Then I think you should use some function like that anyway ;-).

With request_var:

Code: [Hide]

$id = request_var('id', 0);

Without:

Code: [Hide]

$id = isset($_GET['id']) ? intval($_GET['id']) : 0;

It's just far cleaner throughout the code.

mort [ Tue 25 Nov, 2014 00:46 ]
Post subject: Re: More Questions About Sanitizing?

Thank you my friend

The request_var didn't work (undefined) but the other one works a treat - And now I've got enough to keep me busy for a few days.

And just so that I can complete each page without going back over them, I have but one last question (For Now)

Would it be wise to at least add mysql_real_escape_string( or something else to these vars

Code: [Hide] [Select]

$flagID = $row['flag_id'];

$flag_name = $row['flag_name'];

$flag_image = $row['flag_image'];

$template_name = $row['template_name'];

$style_name = $row['style_name'];

Informpro [ Tue 25 Nov, 2014 10:10 ]
Post subject: Re: More Questions About Sanitizing?

Right – `request_var` isn't a php function, but you should be able to "steal it" easily.

For your last question, no, I don't think it's wise to mysql_real_escape_string here. I think you should only use that function when you're inserting stuff in the DB.

(and BTW, I'd probably use a function "on top of" `mysql_real_escape_string`, like IP has `$db->sql_escape()`, so that if you need to change the database later it'll be easy. You might want to look into php's PDO)

mort [ Wed 26 Nov, 2014 02:31 ]
Post subject: Re: More Questions About Sanitizing?

Quote:
but you should be able to "steal it" easily.

HAHAHA! "Steal?" Finding it would be something else! I'd have to load ALL the function files with notepad++ to have any chance.

But this -> `$db->sql_escape()`, I need to have a look at because I'd like to go to PDO and anything I can do a step at a time to get this mess modernised - I'll do it.

And thanks for your help too!

Because I'm in the position where I'm too old to be reading about everything that I want to do, although I DO read a lot before I ask any questions, but it takes so long to find the right info when someone like your self jumps onto it straight away.

Let's face it - I'm too bloody old to make a future out of knowing everything about php.

So I just need the bits that I'm stuck on.

Tell you what I don't want to do though - And that's add stuff that is at the moment strictly used by phpBB - I just want to stick with the stuff that's in general use.