I propose a set-it-and-forget-it sanitization technique for POST and GET data.
While not suggesting the exact code, class structure or even use of classes I have used to describe the feature, something along the same lines may be useful.
The idea is best suggested in code:
PHP Code:
<?php
require_once("UserDataObject.class.php");
// We want to get some post data.
// Create our UserDataObject and pass it $_POST
$postdata = new UserDataObject( $_POST );
// Get something out of it with the knowledge that it is safe
$kbid = $postdata->get_var("id"); // Effectivley gets sanitzed $_POST['id']
?>
And the contents of UserDataObject.class.php:
PHP Code:
<?php
class UserDataObject
{
private $data;
__construct( $d )
{
$this->data = $d;
}
public function get_var( $key )
{
return $this->sanitize( $this->postdata[$key] );
}
private function sanitize( $data )
{
// data to sanitize here.. remove quotes, add slashes, whatever
}
private __set() { }
private __get() { }
}
?>
Linear Mode
