PDA

Click to See Complete Forum and Search --> : Two usefull functions(XSS/SQL injection).

Y.P.Y
Oct 9th, 2009, 03:14 PM
Hi,

function Safe_String($Str_Input, $Str_Type= 'all', $Str_Charset= 'ISO-8859-1', $Bln_HTMLEntities= false, $Bln_SubStr= false, $Lng_MaximumLength= 0)
{

switch(strtolower($Str_Type)):
case 'english':
case 'e': $Str_Input= preg_replace('/[^a-zA-Z]/i', '', &$Str_Input);
break;

case 'integer':
case 'i': $Str_Input= preg_replace('/[^0-9+-]/i', '', &$Str_Input);
break;

case 'number':
case 'n': $Str_Input= preg_replace('/[^0-9+.\/-]/i', '', &$Str_Input);
break;

case 'englishinteger':
case 'ei': $Str_Input= preg_replace('/[^a-zA-Z0-9+-]/i', '', &$Str_Input);
break;

case 'englishnumber':
case 'en': $Str_Input= preg_replace('/[^a-zA-Z0-9+.\/-]/i', '', &$Str_Input);
break;

case 'electronicmail':
case 'em': $Str_Input= preg_replace('/[^a-zA-Z0-9@_.-]/i', '', &$Str_Input);
break;

case 'file':
case 'f': $Str_Input= preg_replace('/[^a-zA-Z0-9+_.-]/i', '', &$Str_Input);
break;

case 'phone':
case 'ph': $Str_Input= preg_replace('/[^0-9+]/i', '', &$Str_Input);
break;

case 'internetprotocol':
case 'ip': $Str_Input= preg_replace('/[^0-9.:]/i', '', &$Str_Input);
break;
endswitch;

if($Bln_SubStr): $Str_Input= mb_substr(&$Str_Input, 0, &$Lng_MaximumLength, &$Str_Charset);
endif;
if($Bln_HTMLEntities): $Str_Input= htmlentities(&$Str_Input, ENT_COMPAT, &$Str_Charset);
endif;
unset($Bln_HTMLEntities, $Bln_SubStr);
return($Str_Input);
}



function Safe_SQL($Str_Input)
{

if(get_magic_quotes_gpc()): function_exists('mysql_real_escape_string') ? stripslashes(mysql_real_escape_string(&$Str_Input)) : stripslashes(mysql_escape_string(&$Str_Input));
else: function_exists('mysql_real_escape_string') ? addslashes(mysql_real_escape_string(&$Str_Input)) : addslashes(mysql_escape_string(&$Str_Input));
endif;

return($Str_Input);
}

Goodluck. ;-)
I_Love_My_Vans
Oct 15th, 2009, 06:39 AM
Is there a particular reason why you are accessing &$Str_Input by reference? It would appear that your accessing it by reference but assigning it by value? This doesn't make sense, unless someone can enlighten me.

(Obviously you can't because you're banned :D)

Code indenting leave much to be desired, also if you are going to separate words in your variable names with a _ then you probably don't need to use camel case.