Hi,

I've been writing a series of input forms for a XOOPS site. My work is mostly done with the exception of disinfecting browser input. I usually write perl code where you drop control characters (most often allowing only a specific list of characters), any markup, escape quotes, etc before any database insertion. I'm trying to figure out the safest way to do this for php and thought there might be a generic XOOPS function to do so. If there isn't does anyone have a function with the correct mix of strip_tags, stripslashes and magic_quotes_gpc? Extra credit for a solution no matter what the server setting for magic quotes...it'd be great if we don't have to deal with that at every hosting site.

TIA, BA

How are you doing the MySQL queries to update the database? With the XOOPS object classes, or with manual queries?

With manual queries, you can do:

$myts =& MyTextSanitizer::getInstance();
...
$fieldvalue = $myts->addSlashes($fieldvalue);
...
$query = ... `fieldname` = '$fieldvalue' ....

If you're using XOOPS object classes, the object handler should take care of that for you.

The preferred procedure handling user input would be:

$xoopsObject->setVar($GPCvar, $GPCval);
=> Inform xoopsObject that current variable is from GPC

$xoopsObject->cleanVars();
=> strip slashes if magic_quotes_gpc is set to ON

$xoopsDB->quoteString($xoopsObject->$cleanedGPCval);
=> add slashes to single quotes

$xoopsDB->query()
=> store into DB

Through this way, the storage procedure is safe for most cases, except a few very rare cases for a few east Asian encodings, potentially, if magic_quotes_gpc is set to OFF.