|
| |
|
|
dzirkelb1
Posts: 1433
Joined: 10/5/2004
From: Cedar Rapids, Iowa
Status: offline
 |
Cleaning Up Data Requests from a Form - 11/3/2009 12:03:40
We all know the pesty things users can do, and the pesty things databases fail on (like quotes, blank values for numbers opposed to null, spaces, etc).
So, i created this little function I have on my include page:
Function CleanDataStr(strData)
i = 1
if len(strData) > 0 then
do while i <= len(strData)
if mid(strData, i, 1) = Chr(34) Or mid(strData, i, 1) = Chr(39) then
if i > 1 then
strLeftText = left(strData, i - 1)
else
strLeftText = ""
end if
if i < len(strData) then
strRightText = right(strData, len(strData) - i)
else
strRightText = ""
end if
strData = strLeftText & strRightText
else
i = i + 1
end if
loop
end if
CleanDataStr = Trim(strData)
End Function
Function CleanDataInt(intData)
if intData = "" or len(intData) = 0 then
intData = "NULL"
end if
CleanDataInt = intData
End Function
Anyone else have stuff to add to it? This should take care of ", empty spaces, and makes blank values a Null.
< Message edited by dzirkelb1 -- 11/3/2009 12:31:59 >
|
|
|
|
womble
Posts: 6009
Joined: 3/14/2005
From: Living on the edge
Status: offline
|
RE: Cleaning Up Data Requests from a Form - 11/4/2009 7:19:10
I don't have anything to add to it, but I have a nice little PHP function I use to clean data before putting it in a database.
<?php
function make_safe($value) {
$value = trim($value);
$value = htmlspecialchars($value);
$value = stripslashes($value);
$value = mysql_real_escape_string($value)
return $value;
}
?>
Rather than having to perform each function on each form input, this function wraps them all up in one tidy bundle.
trim() trims any pesky whitespace the user's inadvertently put before or after their text.
htmlspecialchars() converts special characters to their HTML entities, so for example the ampersand (&) becomes & and < (less than, and the front of a HTML tag) becomes <, so the user's input isn't interpreted as HTML markup (and also ensures that, if for example if a user's used & in their input, that if you're then going to display their text on a page, the & will display properly as &.
stripslashes() unquoted quoted strings and strips backslashes.
mysql_real_escape_string escapes special characters in the unescaped string and prevents SQL injection attacks. (If magic_quotes_gpc is enabled on the server, before using mysql_real_escape_string on the data, you need to use stripslashes(), otherwise your data will get escaped twice).
_____________________________
~~ "A cruel god ain't no god at all" ~~
~~ Erase hate. Practice love. ~~
| |
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts
|
|
|
Printable Version 