Input filtering...

[Slyke]

PHP Code:

foreach ($HTTP_POST_VARS as $key=>$value) {

  $value = filter_input(INPUT_POST, $key, FILTER_SANITIZE_SPECIAL_CHARS);
  $_POST[$key] = $value;

}

foreach ($HTTP_GET_VARS as $key=>$value) {

  $value = filter_input(INPUT_GET, $key, FILTER_SANITIZE_SPECIAL_CHARS);
  $_GET[$key] = $value;

} 


Is there any reason I wouldn't want to do this on every page on my script? It protects against SQL injections, plus other mishaps (Such as XSS).

[kows]

well, if you're ever echoing those variables out, then they'll have a bunch of slashes in them (assuming your filter_input() function adds slashes).

other than that, there isn't any real reason why you couldn't, or shouldn't.

[penagate]

This is bad in principle. That snippet of code makes the big and dangerous assumption that GET and POST variables are only ever to be used in SQL queries built using string concatenation.

There are two problems with this assumption:
— You shouldn't be building queries using concatenation. Use parameters (unless you're stuck with a stone-age environment).
— It's wrong.

Also, the $HTTP* variables are deprecated. Use $_POST and $_GET instead.


The case where you might want something like your snippet is the converse: Where your code might be run on a system with "magic quotes" enabled. In this case you should be removing character escape sequences wrongly added by the magic quotes "feature":

PHP Code:

if (@get_magic_quotes_gpc())
{
  array_walk_recursive($_GET, "stripslashes");
  array_walk_recursive($_POST, "stripslashes");
  array_walk_recursive($_COOKIE, "stripslashes");
}