Page 1 of 1

your ultimate input data filter?

Posted: Sun May 20, 2007 12:32 pm
by maliskoleather
Another post got me thinking about this...

If you had(have) a function that parses and cleans, and otherwise generally handles, anything that a user threw at it, what would you want it to do? That way, you only had to do something like

Code: Select all

$var=userDataFilter($_POST['foo']);
and feel perfectly safe about that vars content?

I'm not asking about using already existing functions, or even looking for sample code. I'm just curious about concepts.
cleaning bad html, parsing emoticons, stripping db escape chars, etc.

Posted: Sun May 20, 2007 12:41 pm
by Chris Corbyn
Your question doesn't really make any sense because without knowing what you're escaping the data for you cannot know how to escape it. Are you cleaning for SQL, or for HTML?

Posted: Sun May 20, 2007 12:46 pm
by maliskoleather
im not asking how to clean anything...

what i want to know, is if you had a function, that in theory could do whatever you wanted with users data, what would you want it to do?

Posted: Sun May 20, 2007 12:49 pm
by Kieran Huggins
It's all about cleaning for the target data format. There's a really good section in the O'Reilly book "Building Scalable Web Sites" that talks about this in great detail. PM me your email for an excerpt.

Posted: Sun May 20, 2007 1:01 pm
by Ambush Commander
cleaning bad html
Ah, that sounds like a job for HTML Purifier!

d11wtq and Kieran are right: a function like userDataFilter() could not possibly exist because it wouldn't know what to do. There are many different types of filtering and validation one can do.

BTW: FMA! Great show.

Posted: Sun May 20, 2007 1:11 pm
by maliskoleather
heh. i know its couldnt possibly work in reality. im not even going to try and make it... lol. I'm just thinking hypothetically. if it were possible and so on and so on

Re: your ultimate input data filter?

Posted: Sun May 20, 2007 1:14 pm
by kyberfabrikken
maliskoleather wrote: If you had(have) a function that parses and cleans, and otherwise generally handles, anything that a user threw at it, what would you want it to do? That way, you only had to do something like

Code: Select all

$var=userDataFilter($_POST['foo']);
and feel perfectly safe about that vars content?
How about:

Code: Select all

$var = $_POST['foo'];
I feel perfectly safe about that.