On Fri, June 30, 2006 12:00 am, benc11@[...].com wrote:
>  I am trying to create a function to clean up variables that are user
>  inputted from a form.  I am not getting this script to work.  Can
>  anyone
>  help.
> 
>  ---Start Script---
>  function cleaner($var)
>  {
>  trim(strip_tags(ucfirst(addslashes($var))));
>  }
> 
>  $var = "abc's";
> 
>  echo $var;
>  ---End Script---
> 
>  When I run the above script it produces nothing. Instead of a result
>  of
>  "Abc\'s".

At the simplistic level, the problem is that you are not using
"return" to actually RETURN the answer, so you do all that work and
throw away the result.

return trim(strip_tags(ucfirst(addslashes($var))));


At a higher level, the problem is that you are basically doing several
things very very very wrong here...

#1. addslashes should be replaced with the database-specific escaper,
such as mysql_real_escape_string, or you should use prepared
statements so that the DB cannot possibly mistake data for SQL.

#2. Don't alter the case of the input data, if at all possible. 
Accept what the user has given, and take it as it is.  You can make
your application not care about case, and you can format the case on
ouput (maybe even with fancy CSS stuff) but don't mess with their
input.

#3. strip_tags should probably happen first...  Otherwise the escaping
of the data going into the DB could, possibly, be defeated by clever
arrangement of HTML tags that disguise the invalid data.

#4. There is a complete lack of actual validation here...  You'd be
WAY better off to make sure the incoming data is what you expect, and
not accept bad input, than to just blindly strip_tags on it.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php