function intfix($i)
{
$i = preg_replace('/[^\d]/', '', $i);
if (!strlen($i))
$i = 0;
return $i;
}
function textfix($text = ""){
if(!is_array($text)){ $text = htmlentities($text,ENT_QUOTES,"UTF-8");
}
return $text;
}
These two functions filter all the user submitted variables. Do you think it is secure enough?
I’m a little confused about character encoding. I want to allow my users to play around with ACII art and use any kind of symbols they want but at the moment it doesn’t seem to be possible. What should be done? It may have something to do with the table’s encoding as well as my functions.
EDIT:
The numbers actually are really big. Sometimes in trillions.
This is an example how I filter user input:
if($_GET['number']){ $number = intfix($_GET['number']); }
if($_GET['text']){ $text = textfix($_GET['text']); }'
Is that the mistake you are talking about?
Also, this is how I filter them before inserting to the db:
function filter($input,$s=1){
$input = strip_tags($input, "");
$input = str_replace("\n", "<br />", $input);
if($s == 1){$input = bbcode($input); } // smileys and bbcode
$input = textWrap($input); // wordwrap without breaking html
return $input;
}
function unfilter($input){ // to unfilter in case I need to show the text in a textbox
$input = html_entity_decode($input,ENT_QUOTES,"UTF-8");
$input = str_replace("<br />", "\n", $input);
return $input;
}
Replace intfix with
intval()orfloatval()– you are reinventing the wheel unless you are expecting very large numbers.I hope you are not using
textfix()on input?? That would be a very big mistake. You must encode entities ONLY on output, not on input.For UTF-8 you probably need: