Home/ Questions/Q 7541693
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T07:57:39+00:00

Possible Duplicate: The ultimate clean/secure function I was informed in another thread that this

  • 0

Possible Duplicate:
The ultimate clean/secure function

I was informed in another thread that this bit of code was pretty useless:

function getPost($s) {
        if (array_key_exists($s, $_POST))
            return mysql_real_escape_string(htmlspecialchars($_POST[$s]));
        else return false;
    }


    function getGet($s) {
        if (array_key_exists($s, $_GET))
            return mysql_real_escape_string(htmlspecialchars($_GET[$s]));
        else return false;
    }

Can anybody help understand why and how I can make it better please? Links or references are welcome also.

Just trying to always improve 🙂

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Well, it’s bad for the same way magic_quotes_gpc is bad. It’s magic and will escape everything, whether you want it to or not. Instead, handle the escaping where it’s used, and you can change things without any problem. So:

    function post($key) {
    if(array_key_exists($key, $_POST)) {
        return $_POST[$key];
    }

    return false;
}

    And do your escaping where it’s needed. Otherwise, things can look strange, and unescaping them will defeat the point. Consider this; I input my last name, O'Hara, in a textbox. You want to echo it back, but you fetch it using getPost. Here’s what I get back:

    O\’Hara

    Did you htmlspecialchars it again? Well, then I get:

    O\'ara

    or something. This happens to me a lot and it’s incredibly annoying – please don’t do it.

    • 0