We all know we shouldn't trust user input. Any problems with this function or easier ways to do it?

// cleanse variables

function assign($variable,$type,$restrictions) {
$temp='';
switch($type) {
case 'get': $temp = $_GET[$variable]; break;
case 'post': $temp = $_POST[$variable]; break;
case 'request': $temp = $_REQUEST[$variable]; break;
case 'cookie': $temp = $_COOKIE[$variable]; break;
}
switch($restrictions) {
case 'alpha': preg_match("/([a-zA-Z ,\.]+)/",$temp,$match); break;
case 'alphanum': preg_match("/([a-zA-Z0-9 ,\.]+)/",$temp,$match); break;
case 'num': preg_match("/([0-9]+)/",$temp,$match); break;
case 'email': preg_match("/^(([a-zA-Z0-9_-]*\.*)*[a-zA-Z0-9_-]+@[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+)/",$temp,$match); break;
case 'blob': $match[1] = $temp; break;
}
if($temp!='') {
global $$variable;
$$variable = $match[1];
return true;
}
return false;
}

// suppose you want to strip any non-alphanumeric stuff out of $_POST['username']

assign('username','post','alphanumeric');

you could add support for '_' and '-'. many people use these in their input and it would be wise to allow them in alpha & alphanum.

htmlentities() (www.php.net/htmlentities) is also a good idea so that people can't execute HTML to get porn pics displayed from another site or something dumb like that...there's worse.

Merve you say that a lot now i've noticed :p


but anyway why would he need to? he's not allowing < or > in his regex's....

People can type greater than or less than signs without typing &gt; or &lt;. I don't see where they are in his PCREs.

And yes I do say that a lot. A lot of people forget it. :)

ok so since when did the board start rejecting my entity references......

andway i meant < and >. the above post has been edited. all i'm saying is that HTML can't get it, it would be caught by the regexes.

Please forgive me for being so stubborn Moonglobe, but I don't see < or > in his regexes...if there's something about PCRE that I don't know about that I'd really like to know.

Originally posted by Merve
Please forgive me for being so stubborn Moonglobe, but I don't see < or > in his regexes...if there's something about PCRE that I don't know about that I'd really like to know. that's the point...... they're not there. what IS there is what's allowed. that's it.

I apologise Moonglobe for my stubbornness and stupidity. I should have taken the time to read over the code. Actually, I don't think it can be improved, great code! But one must admit, htmlentities() rocks!

Sorry...but it does...and if you agree with me...well too bad!

:D:D:D:D

Originally posted by Merve
Sorry...but it does...and if you agree with me...well too bad! but i do agree with you....:confused:



;)