Voting

Please answer this simple SPAM challenge: max(four, eight)?
(Example: nine)

The Note You're Voting On

rh at richardhoward dot net
13 years ago
<?php
/**
Utility class: static methods for cleaning & escaping untrusted (i.e.
user-supplied) strings.

Any string can (usually) be thought of as being in one of these 'modes':

pure = what the user actually typed / what you want to see on the page /
       what is actually stored in the DB
gpc  = incoming GET, POST or COOKIE data
sql  = escaped for passing safely to RDBMS via SQL (also, data from DB
       queries and file reads if you have magic_quotes_runtime on--which
       is rare)
html = safe for html display (htmlentities applied)

Always knowing what mode your string is in--using these methods to
convert between modes--will prevent SQL injection and cross-site scripting.

This class refers to its own namespace (so it can work in PHP 4--there is no
self keyword until PHP 5). Do not change the name of the class w/o changing
all the internal references.

Example usage: a POST value that you want to query with:
$username = Str::gpc2sql($_POST['username']);
*/

//This sets SQL escaping to use slashes; for Sybase(/MSSQL)-style escaping
// ( ' --> '' ), set to true.
define('STR_SYBASE', false);

class
Str {
    function
gpc2sql($gpc, $maxLength = false)
    {
        return
Str::pure2sql(Str::gpc2pure($gpc), $maxLength);
    }
    function
gpc2html($gpc, $maxLength = false)
    {
        return
Str::pure2html(Str::gpc2pure($gpc), $maxLength);
    }
    function
gpc2pure($gpc)
    {
        if (
ini_get('magic_quotes_sybase'))
           
$pure = str_replace("''", "'", $gpc);
        else
$pure = get_magic_quotes_gpc() ? stripslashes($gpc) : $gpc;
        return
$pure;
    }
    function
html2pure($html)
    {
        return
html_entity_decode($html);
    }
    function
html2sql($html, $maxLength = false)
    {
        return
Str::pure2sql(Str::html2pure($html), $maxLength);
    }
    function
pure2html($pure, $maxLength = false)
    {
        return
$maxLength ? htmlentities(substr($pure, 0, $maxLength))
                          :
htmlentities($pure);
    }
    function
pure2sql($pure, $maxLength = false)
    {
        if (
$maxLength) $pure = substr($pure, 0, $maxLength);
        return (
STR_SYBASE)
               ?
str_replace("'", "''", $pure)
               :
addslashes($pure);
    }
    function
sql2html($sql, $maxLength = false)
    {
       
$pure = Str::sql2pure($sql);
        if (
$maxLength) $pure = substr($pure, 0, $maxLength);
        return
Str::pure2html($pure);
    }
    function
sql2pure($sql)
    {
        return (
STR_SYBASE)
               ?
str_replace("''", "'", $sql)
               :
stripslashes($sql);
    }
}
?>

<< Back to user notes page

To Top