Quote (Lilfade_LOR_CF @ 17 Feb 2010 20:13)
All i was saying was the way you put it all you have to do is mess with the unvalidated $_POST and expose your site, eg. the $password var thats in the same file. As any web designer knows you should validate always, why would you ever trust the user. Hell i think thats the best part of building websites is thinking of ways to keep it all secure. But when a newer person asks for help why should you not explain the answer and add the fact about security. (And on a side note only like 1 out of 100 people has any grammar skills on the internet.)
You are missing the part where it said "as simple as possible". Your entire argument is more complexity which removes the "as simple" statement.
I do agree attacks are always possible but save form validation for another day.
Code
if(isset($_POST))
{
foreach($_POST as $key => $value)
{
if(!is_array($_POST[$key]))
{
$_POST[$key] = cleanText($_POST[$key]);
}
}
}
if(isset($_GET))
{
foreach($_GET as $key => $value)
{
if(!is_array($_GET[$key]))
{
$_GET[$key] = cleanText($_GET[$key]);
}
}
}
function cleanText($string) {
if (!get_magic_quotes_gpc())
{
return mysql_escape_string($string);
}
$string = (!is_array($string)) ? htmlspecialchars($string) : $string;
return $string;
}
Now you can stop bickering and use my cleaning function above.
This post was edited by Bricegould on Feb 17 2010 11:34pm