Any difference in these sanitizing methods?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
big0mike
Forum Newbie
Posts: 5
Joined: Thu Jul 17, 2008 12:52 pm
Location: Peoria AZ

Any difference in these sanitizing methods?

Post by big0mike »

I got this from the book I'm reading PHP Solutions:

Code: Select all

<?php
function nukeMagicQuotes() {
  if (get_magic_quotes_gpc()) {
    function stripslashes_deep($value) {
      $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value);
      return $value;
      }
    $_POST = array_map('stripslashes_deep', $_POST);
    $_GET = array_map('stripslashes_deep', $_GET);
    $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
    }
  }
?>
The page source page has an include for this page and then it calls the function.

The second way was some code offered to me through the WD mailing list:

Code: Select all

// Initialize $input alias:
    $input = array();
    // Clean all input:
    if(ini_get('magic_quotes_gpc')) {
        foreach($_POST as $k => $v) {
        $input[$k] = trim(strip_tags(stripslashes($v)));
    }
    } else {
       foreach($_POST as $k => $v) {
            $input[$k] = trim(strip_tags($v));
        }
    }
I don't know enough to know if either method is better or worse but since I see different code I have to ask. I, of course, want to use the better method... If there is one.

Thanks,
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Any difference in these sanitizing methods?

Post by Mordred »

The second is rubbish, throw it away.
The first works, for a given value of "works".
Dig through this: viewtopic.php?f=50&t=74859
Post Reply