Sanitizer

Posted: Wed Jan 20, 2010 6:15 pm

I have a form for inserting videos into the database. After much head scratching I came up with this to sanitize the data coming from Post.

Am I doing this right?

What am I forgetting?

Dawg

Code:

function Sanitizer($variable)


{  


$variable=trim($variable);


$variable=strip_tags($variable);


$variable=htmlentities($variable);


$variable=addslashes($variable);  


return $variable;


}

Code:

$code=Sanitizer($_POST['code']);

Posted: Thu Jan 21, 2010 7:47 am

Dawg, how is the data used coming out of the database and what, if any, transformations are you doing on it? That will help a bit here.

I would not use strip_tags() if you are already using a RavenNuke(tm) version 2.10.00 or better. I would use check_html($variable, 'nohtml') instead. Just a general rule as it does a better job of not being overly aggressive and breaking your content.

Your answer on the first question will determine whether you really want to htmlentities() it. I tend more towards storing a more "raw" version of the cleansed input (i.e., unencoded) and only encode depending upon what I am doing with the data after I retrieve it from the database.

Posted: Thu Jan 21, 2010 7:48 am

What is $variable ... the video itself or a file name? If it's a file name I think I'd want to write the filter to make sure it is a legitimate file name or else reject it. Certainly it should have no html in it but if someone tried to insert html I think I'd want to reject their input entirely, not just "sanitize" it. I'm guessing there is a limited list of extensions the files can have, so you'd want to filter to make sure it is one of those.

I'm also guessing that there is some function or program out there that will actually look at the contents of the video file and make sure it is legitimate. I'd want to incorporate that.

Posted: Thu Jan 21, 2010 8:41 am

I am building this as a stand alone first....then I HOPE to make it a nuke MOD after I get it working.

On the admin side of things.....You have a form. Admin fills out the form with Title, Category and Embed Code.

Code is where it gets tricky to me....It can be one of two things....

Code 1

Code:

<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/3tX1ElrtA6s&hl=en_US&fs=1&"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/3tX1ElrtA6s&hl=en_US&fs=1&" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344"></embed></object>

or Code 2 (what I want Code 1 to look like after I strip all the crap out of it.)

Code:

3tX1ElrtA6

The idea behind this is to add videos by just dropping the embed code and having the MOD pull all the data ie: images and player from YouTube.

If it is a new video....you get FULL embed code.
If it is a edited video you just get 3tX1ElrtA6

I also have a Title ie: "Billybob goes to washington"
and a Catergory that is passed as $catid ie: "catid = 3"

I hope this makes sence......

I would be happy to show you a working example by PM if it makes it easier to understand.

Thank You for the help....I am a wanabee at best. (but it is FUN to write this stuff)

Dawg