Ok, am I dreaming or what?
The html page posts to upload.processor.php (make sure you upload an image).
Just prior to INSERT in db I clean the values and check to see that the values are actually
cleaned.
When the script runs it echo’s blank values for the returned POST (stuff like )
However, it appears in the db???
I’m sure it will be embarrassing when you guys tell me why :

[code]

<title>Untitled 3</title>

Upload Form

<?php include('includes/year.inc'); ?>	<?php include('includes/make.inc');?>	<?php include('includes/body_style.inc'); ?>	<?php include('includes/drivetrain.inc'); ?>
<?php include('includes/trans.inc');?>	Engine:	Ext Color:	Int Color:
Mileage:	Vin Number:	Price:

[/code]

[php]// filename: upload.processor.php

// first let’s set some variables

// make a note of the current working directory, relative to root.
$directory_self = str_replace(basename($_SERVER[‘PHP_SELF’]), ‘’, $_SERVER[‘PHP_SELF’]);
//echo $directory_self.‘uploaded_files/’;

// make a note of the directory that will recieve the uploaded file
$uploadsDirectory = $_SERVER[‘DOCUMENT_ROOT’] . $directory_self . ‘uploaded_files/’;

// make a note of the location of the upload form in case we need it
$uploadForm = ‘http://’ . $_SERVER[‘HTTP_HOST’] . $directory_self . ‘add_car.php’;

// fieldname used within the file of the HTML form
$fieldname = ‘file’;

// Now let’s deal with the upload

// possible PHP upload errors
$errors = array(1 => ‘php.ini max file size exceeded’,
2 => ‘html form max file size exceeded’,
3 => ‘file upload was only partial’,
4 => ‘no file was attached’);

// check for PHP’s built-in uploading errors
($_FILES[$fieldname][‘error’] == 0)
or error($errors[$_FILES[$fieldname][‘error’]], $uploadForm);

// check that the file we are working on really was the subject of an HTTP upload
@is_uploaded_file($_FILES[$fieldname][‘tmp_name’])
or error(‘not an HTTP upload’, $uploadForm);

// validation… since this is an image upload script we should run a check
// to make sure the uploaded file is in fact an image. Here is a simple check:
// getimagesize() returns false if the file tested is not an image.
@getimagesize($_FILES[$fieldname][‘tmp_name’])
or error(‘only image uploads are allowed’, $uploadForm);

//echo $_FILES[$fieldname][‘tmp_name’];

// make a unique filename for the uploaded file and check it is not already
// taken… if it is already taken keep trying until we find a vacant one
// sample filename: 1140732936-filename.jpg
$now = time();
while(file_exists($uploadFilename = $uploadsDirectory.$now.’-’.$_FILES[$fieldname][‘name’]))
{
$now++;
}

$image = $now.’-’.$_FILES[$fieldname][‘name’];
//var_dump($image);
// now let’s move the file to its final location and allocate the new filename to it
@move_uploaded_file($_FILES[$fieldname][‘tmp_name’], $uploadFilename)
or error(‘receiving directory insufficient permission’, $uploadForm);

//connect to db
$link = mysql_connect(‘localhost’,‘root’,‘XXXXX’) or die (mysql_error());
$db = mysql_select_db(‘used_cars’) or die (mysql_error());
//var_dump($db);

include_once(‘clean_values.inc’);
clean_values($_POST);
foreach ($_POST as $field => $value){
echo “$field”."–>"."$value"."
";
}

$date = date (“Y-m-d”);
$result = mysql_query(“INSERT INTO cars (id, year, make, body_style, engine, trans, drivetrain, ext_color, int_color, mileage, vin, image, price, sold, date)
VALUES (’’,’$_POST[year]’,’$_POST[make]’,’$_POST[body_style]’,’$_POST[engine]’,’$_POST[trans]’,’$_POST[drivetrain]’,
‘$_POST[ext_color]’,’$_POST[int_color]’,’$_POST[mileage]’,’$_POST[vin]’,’$image’,’$_POST[price]’,’$_POST[sold]’,’$date’)”)
or die (mysql_error());
//header(“Location: http://localhost/joomla/index.php?option=com_jumi&fileid=2&Itemid=28”);
echo “upload successful”;
// If you got this far, everything has worked and the file has been successfully saved.
// We are now going to redirect the client to a success page.
//header('Location: ’ . $uploadSuccess);

// The following function is an error handler which is used
// to output an HTML error page if the file upload fails
function error($error, $location, $seconds = 5)
{
header(“Refresh: $seconds; URL=”$location"");
echo ‘’."\n\n".
‘’."\n".
’ '."\n".
’ '."\n\n".
’ ‘."\n\n".
’ Upload error’."\n\n".
’ '."\n\n".
’ '."\n\n".
’

'."\n\n".
‘’;
exit;
} // end error handler
[/php]

[php]function clean_values(){

$san_str = filter_var("$value",FILTER_SANITIZE_STRING);
$sp_char = filter_var($san_str,FILTER_SANITIZE_SPECIAL_CHARS);
$htmlsp = htmlspecialchars($sp_char);
$trim = trim($sp_char);
$strip = strip_tags($trim);
$strip = array ("$field"."$value")."<br />";
return($_POST);

} [/php]

Something tells me you are cleaning the variable without actually setting that variable to the cleansed state. To see what I mean:

clean_string($asdf);
rather than
$asdf = clean_string($asdf);

Just a tip.

Oh, I found an error when you do the function. Your code says:
clean_values($_POST);
However, wouldn’t you want to name the variable used, like so?:
clean_values($_POST[“form”]);

Tweeked a few thing per you suggestions:

clean_values($_POST[$value]);
and

function clean_values(){

filter_var($value,FILTER_SANITIZE_STRING);
filter_var($value,FILTER_SANITIZE_SPECIAL_CHARS);
htmlspecialchars($value);
trim($value);
strip_tags($value);
$clnarray = array("$field"."$value")."<br />";
return $clnarray;

}

The clean values echo fine back from the function:
foreach ($_POST as $field => $value){
echo $field."-".$value."
";
}

But they still have not made it to the db ???

Guess what folks. It was a hack. Several weeks ago my website was hacked and after running all the normal
stuff (AVG, Malewarebytes, etc), deleting & replacing my browser & xampp, changing passwords and all that crap … turns out the bug was still in my laptop AND my PC.
I erased the hard drive on my laptop and started over … the script works fine. When you folks get a chance, block this IP address on your system: 87.59.101.111 (from Denmark). It’s a nasty little bug that gets passwords.

I can’t believe it.
I’ve erased the hard drive on my laptop, reinstalled windows 7, xampp & php designer, created a BASIC form and used one php function to strip the tags (strip_tags()) and I’m getting exactly the same results.
The echoed form values are blank but the malicious data (, <?php ?> etc.) STILL SHOWS UP IN THE DATABASE. How is this happening???

Unless you have changed your sql statement your still posting the $_POST values to the array. Not the cleaned values. I would suggest that you post the cleaned values in the array not the $_POST values.

Oh yes, … duh!!

I hope this is the right place for the next dumb question … what’s the proper way to reconnect the $field with the clean value?

Thanks for responding Andy!

create a new variable that is an array and pass all the $values to it then call it in your sql statement.

Got it …
[php]foreach ($_POST as $key => &$value){

$fltr1 = filter_var($value,FILTER_SANITIZE_STRING);
$fltr2 = filter_var($fltr1,FILTER_SANITIZE_SPECIAL_CHARS);
$fltr3 = htmlspecialchars($fltr2);
$trm = trim($fltr3);
$strp = strip_tags($trm);
$new_array[$key] = $strp;
//var_dump($strp);

}
[/php]

and

[php]//connect to db
$link = mysql_connect(‘localhost’,‘root’,‘XXXXXXX’) or die (mysql_error());
$db = mysql_select_db(‘used_cars’) or die (mysql_error());
//var_dump($db);

$date = date (“Y-m-d”);
$result = mysql_query(“INSERT INTO cars (id, year, make, body_style, engine, trans, drivetrain, ext_color, int_color, mileage, vin, image, price, sold, date)
VALUES (’’,’$new_array[year]’,’$new_array[make]’,’$new_array[body_style]’,’$new_array[engine]’,’$new_array[trans]’,’$new_array[drivetrain]’,’$new_array[ext_color]’,
‘$new_array[int_color]’,’$new_array[mileage]’,’$new_array[vin]’,’$image’,’$new_array[price]’,’’,’$date’)”)
or die (mysql_error());[/php]

Comment:
PHP Person had suggested the following but I could not get it to work for me without capturing the the value in a variable at each step of the foreach loop:
Something tells me you are cleaning the variable without actually setting that variable to the cleansed state. To see what I mean:
[php]
clean_string($asdf);
rather than
$asdf = clean_string($asdf);
[/php]

Question: I’ve tried in vain to make a function out of the foreach loop. Would appreciate any help / comments.