0
I need to make a library for data processing, so I can use it before calling functions like: Register, Change, Delete and etc...
I am using PDO for communication with the mysql database, and the method itself already has some security measures to avoid sql Injection, but I would like a more security.
I have been researching and found nothing better than the filter Anitize that the php language itself offers, but I believe you have better and more complete ways to use these features.
Follow the function I’ve done:
function limpeza($dados) {
foreach ($dados as $key => $valor) {
if (is_numeric($valor)) {
$dados[$key] = filter_var($dados[$key], FILTER_SANITIZE_NUMBER_INT);
} else {
$dados[$key] = filter_var(utf8_decode($dados[$key]), FILTER_SANITIZE_STRING);
}
}
return $dados;
}
My idea is to take for example the array with the form POST and pass directly to the function, and that it returns me a clean and free array of for example html tags, php or other malicious scripts. The way it is, the function actually cleans all malicious tags and scripts and returns me the clean array. But I feel like there are much better ways to do it, and I haven’t found much content on the Internet about it.
And difference between
intandfloat? It seems safer to come from onegettypeinstead of ais_numeric. And you can even receive an optional second array as a parameter with the filter to apply to each field, so you can in some cases applyFILTER_SANITIZE_EMAILfor example– Isac
Check https://github.com/Wixel/GUMP, easy to extend, and easy to use.
– AnthraxisBR
From a look at Safemysql. It is a mysqli wrapper to solve the security, reading, implementation and repetition problems that the mysqli AIDS code can provide. It is developed/maintained by an OS user.
– Gabriel Heming