-1

I got this code from a youtube video, code is really useful but I want to improve it security:

function escape($string) {
          $str = trim($string);
          return htmlentities($strfinal, ENT_QUOTES, 'UTF-8'); 
      }

together with the Input class:

class Input {

    public function exists($type = 'post') {
        switch ($type) {
            case 'post':
                return (!empty($_POST)) ? true : false;
            break;
            case 'get':
                return (!empty($_GET)) ? true : false;
            break;
        }
    }

    public static function get($item) {
        if(isset($_POST[$item])) {
            return $_POST[$item];
        } elseif(isset($_GET[$item])) {
            return $_GET[$item];
        }
        return '';
    }

}

It would be very useful for atleast must of us that it should call the escape function inside the input class so every string of input ALWAYS gets checked even if we "forget" to call it in our apps.

So to be short is there a way to escape all input for most things we dont want, without that escaping makes the app even slower? So its these two scripts in combination with eachother.

Thanks!

Gergo Erdosi
  • 40,904
  • 21
  • 118
  • 94
Hash
  • 9
  • 3
  • Hmm I recognize it now that "all" input wasnt meant litterally I shouldve explained it better but I dont think ANY forum is ready for that question, so I'll be patient. Thanks anyways, and dude next time dont try to diss at a video makes u seem weak. – Hash May 14 '14 at 21:37

1 Answers1

1

There is nothing useful in this function, actually.
As well as in the whole youtube video, I'd say.

is there a way to escape all input

Yes, there is. Or, rather, was. There was a feature in PHP, bearing exactly the same purpose, called "magic quotes".

And it was banished from the language, as proven totally unreliable

The fact is, there is no single set of "unwanted" characters. Each medium we are using for the output, requires it's own, distinct set, unrelated to others - HTML, JS, SQL, email body, JSON string etc., etc., etc.

Moreover - each medium isn't has single set escaping rules either! Say, for the browser there are different data types - urls, HTML code, JS code - each requiring it's own formatting! Same for SQL - there are strings, there are numbers, there are identifiers - one can't apply just one single function for all of them!

That's why you ought to format your data right BEFORE USE,

according to the medium and data role in it.

While such entry-point formatting were proven insecure and useless long time ago.

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345