Just figured I would let everyone know of 2 very useful functions I use when developing websites. 1. - Clear all of your incoming variables. function strip_bads($var){ // whatever clearing of variables you prefer. return strip_tags($var); } foreach ($_POST as $key => $value){ ${'p_'.$key} = strip_bads($value); } -- Could also do this for your gets. an incoming $_POST['username'] would be $p_username and it would be cleared and much easier to work with. 2. Check your arrays in readable format function pre($array){ echo '<pre>'; print_r($array); echo '</pre>'; } both of these function will save you some serious debug and coding time. Hope it helps, thanks!
Nice. Here's a more useful function: if (get_magic_quotes_gpc()) { function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } $_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST); } PHP: It fixes the problem with magic quotes. But it's scheduled to be removed in PHP6.
To stop null byte poisoning, don't even bother showing them the page if they've tried to put '\0' in the URL - there is no legit reason to do that. // Thank you ModX :) if (isset($_SERVER['QUERY_STRING']) && strpos(urldecode($_SERVER['QUERY_STRING']), chr(0)) !== false) die(); PHP: