Back to Basics: Scrubbing POSTs in PHP

Sunday, April 20, 2008, 1:39 AM
Code by John

Post values are writable, in addition to being readable. I've noticed a lot of code that seems to forget that you can scrub and then dump data into the POST values. Consider the following:

foreach ($_POST as $key=>$value){
$_POST[$key]=htmlentities($_POST[$key]);
}

This code takes every POSTed variable and converts it using the PHP command 'htmlentities'.

More sexy code, huh? It's actually very handy, because this allows you, especially if you combine it with a few functions, to rapidly scrub all user input. I actually embed this type of code to scrub GETs and POSTs in my MySQL connection scripts that I use as includes at the beginning of all my PHP. That way, user POSTed variables are scrubbed automatically before even being pulled into a variable that might end up in the database.

Tools

Check Google PageRank

Recent articles

Welcome!

Wonder where to start with your web design business?

This blog follows along with my efforts to build and grow a website design business, Pro Content and Design.

The goal of this blog is to fill in blanks that may be empty as you get your business rolling.

This blog, particularly the source code section, is not intended for beginners. If you are not comfortable with databases, Ajax, DOM objects and other advanced methods, I strongly suggest you go take a look over at W3 Schools before even reading -- let alone tinkering with -- any of the code here.

I hope this blog has some value to web designers as they attempt to get their businesses going.

Good luck, and happy reading.

Thank you,
John Crawford
Pro Content and Design