Cleaning Up Data Requests from a Form

Cleaning Up Data Requests from a Form (Full Version)

All Forums >> [Web Development] >> ASP, PHP, and Database

Message

dzirkelb1 -> Cleaning Up Data Requests from a Form (11/3/2009 12:03:40)

We all know the pesty things users can do, and the pesty things databases fail on (like quotes, blank values for numbers opposed to null, spaces, etc).

So, i created this little function I have on my include page:

Function CleanDataStr(strData)
    i = 1
    
    if len(strData) > 0 then
        do while i <= len(strData)
            if mid(strData, i, 1) = Chr(34) Or mid(strData, i, 1) = Chr(39) then
                if i > 1 then
                    strLeftText = left(strData, i - 1)
                else
                    strLeftText = ""
                end if
                
                if i < len(strData) then
                    strRightText = right(strData, len(strData) - i)
                else
                    strRightText = ""
                end if
                    strData = strLeftText & strRightText
            else
                i = i + 1
            end if
        loop
    end if
    
	CleanDataStr = Trim(strData)
End Function

Function CleanDataInt(intData)
	if intData = "" or len(intData) = 0 then
		intData = "NULL"
	end if
 
	CleanDataInt = intData
End Function

Anyone else have stuff to add to it? This should take care of ", empty spaces, and makes blank values a Null.

womble -> RE: Cleaning Up Data Requests from a Form (11/4/2009 7:19:10)
I don't have anything to add to it, but I have a nice little PHP function I use to clean data before putting it in a database. <?php function make_safe($value) { $value = trim($value); $value = htmlspecialchars($value); $value = stripslashes($value); $value = mysql_real_escape_string($value) return $value; } ?> Rather than having to perform each function on each form input, this function wraps them all up in one tidy bundle. trim() trims any pesky whitespace the user's inadvertently put before or after their text. htmlspecialchars() converts special characters to their HTML entities, so for example the ampersand (&) becomes & and < (less than, and the front of a HTML tag) becomes <, so the user's input isn't interpreted as HTML markup (and also ensures that, if for example if a user's used & in their input, that if you're then going to display their text on a page, the & will display properly as &. stripslashes() unquoted quoted strings and strips backslashes. mysql_real_escape_string escapes special characters in the unescaped string and prevents SQL injection attacks. (If magic_quotes_gpc is enabled on the server, before using mysql_real_escape_string on the data, you need to use stripslashes(), otherwise your data will get escaped twice).

Page: [1]

0.0625