[nycphp-talk] Best practice for escaping data
Randal Rust
randalrust at gmail.com
Thu Feb 15 17:36:27 EST 2007
I have custom-built CMS that I use on a lot of my website. Before I
commit any data to the database, I run each piece through specific
functions that contain a regular expression that accurately validates
the data.
checkPhoneNumber()
checkFaxNumber()
checkCurrency()
checkEmail()
You get the picture.
In all of the environments that I have worked in before,
magic_quoetes_gpc is set to 'On.' But in a new one we are working
with, it is off. No big deal, really, but I am running into a problem
with my function that validates fields that contain mixed data --
essentially text fields. The function is this:
function validateMixed($value){
$value=trim($value);
$value=ini_get('magic_quotes_gpc') ? stripslashes($value) : $value;
$pass=preg_match('/^[a-zA-Z0-9-<>_&,:@?=$#;&!\/\(\)\'\"\.\?\s+]+$/', $value);
return $pass;
}
In order to work in this new environment, I just added addslashes() to
all of the data, but now it won't pass the validateMixed() function
because of the backslashes.
I guess what I'd really like to know is if this is the best way to do
this with these mixed fields.
--
Randal Rust
R.Squared Communications
www.r2communications.com
More information about the talk
mailing list