Skip to main content

Overview

Utility functions provide common helper functionality for data validation, formatting, and image handling across the Refugio system.

Data Sanitization

sanitize_input

Sanitize user input to prevent XSS attacks.
data
string
required
Raw input data to sanitize
return
string
Sanitized string safe for output

Process

  1. Removes leading/trailing whitespace with trim()
  2. Removes backslashes with stripslashes()
  3. Converts special characters to HTML entities with htmlspecialchars()

Code Example

$nombre = sanitize_input($_POST['nombre']);
$email = sanitize_input($_POST['email']);
$observaciones = sanitize_input($_POST['observaciones']);

echo "Nombre limpio: {$nombre}";

Implementation

function sanitize_input($data)
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
    return $data;
}
Always sanitize user input before displaying it in HTML to prevent XSS vulnerabilities.

Date Utilities

formatear_fecha

Format a date from YYYY-MM-DD to DD/MM/YYYY for display.
fecha
string
required
Date string in YYYY-MM-DD format
return
string
Formatted date in DD/MM/YYYY format

Code Example

$fecha_db = '2024-06-15';
$fecha_mostrar = formatear_fecha($fecha_db);
echo $fecha_mostrar;  // Output: 15/06/2024

Implementation

function formatear_fecha($fecha)
{
    $timestamp = strtotime($fecha);
    return date('d/m/Y', $timestamp);
}

fecha_en_rango

Check if a date falls within a specific date range.
fecha
string
required
Date to check (YYYY-MM-DD)
inicio
string
required
Range start date (YYYY-MM-DD)
fin
string
required
Range end date (YYYY-MM-DD)
return
bool
True if date is within range (inclusive), false otherwise

Code Example

$fecha = '2024-06-16';
$inicio = '2024-06-15';
$fin = '2024-06-17';

if (fecha_en_rango($fecha, $inicio, $fin)) {
    echo "La fecha está en el rango";
}

// Check if a specific date overlaps with a reservation
$reserva = obtener_reserva($conexion, 42);
if (fecha_en_rango('2024-06-16', $reserva['fecha_inicio'], $reserva['fecha_fin'])) {
    echo "La habitación está ocupada ese día";
}

Image Validation

validar_imagen

Validate an uploaded image file for security and format compliance.
file
array
required
File array from $_FILES superglobal
return
array
Validation result:
  • valido (bool) - Whether file is valid
  • mensaje (string) - Validation message
  • extension (string) - File extension (only if valid)

Validation Rules

  • Maximum size: 5MB (5,242,880 bytes)
  • Allowed MIME types: image/jpeg, image/jpg, image/png, image/gif
  • Allowed extensions: jpg, jpeg, png, gif
  • Image verification: Must pass getimagesize() check

Code Example

if (isset($_FILES['imagen'])) {
    $validacion = validar_imagen($_FILES['imagen']);
    
    if ($validacion['valido']) {
        echo "Imagen válida: " . $validacion['extension'];
        // Proceed with upload
    } else {
        echo "Error: " . $validacion['mensaje'];
    }
}

Validation Messages

ConditionMessage
Upload error”Error al subir el archivo”
File too large”El archivo es demasiado grande (máximo 5MB)“
Invalid MIME type”Formato no permitido. Solo JPG, PNG o GIF”
Invalid extension”Extensión no permitida”
Not a real image”El archivo no es una imagen válida”
Valid”Imagen válida”

Profile Photo Management

subir_foto_perfil

Upload and save a user’s profile photo.
conexion
PDO
required
Database connection object
id_usuario
int
required
User ID
file
array
required
File array from $_FILES
return
array
Upload result:
  • exito (bool) - Success status
  • mensaje (string) - Result message
  • ruta (string|null) - Saved file path

Process Flow

  1. Validates image using validar_imagen()
  2. Creates upload directory if it doesn’t exist
  3. Gets current photo to delete later
  4. Generates unique filename: perfil_{id_usuario}_{timestamp}.{ext}
  5. Moves uploaded file to uploads/perfiles/
  6. Updates database with new photo path
  7. Deletes old photo file
  8. Rolls back on database error

Code Example

if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_FILES['foto_perfil'])) {
    $resultado = subir_foto_perfil(
        $conexion,
        $_SESSION['user_id'],
        $_FILES['foto_perfil']
    );
    
    if ($resultado['exito']) {
        echo "Foto guardada: {$resultado['ruta']}";
        // Display new photo
        echo "<img src='{$resultado['ruta']}' alt='Perfil'>";
    } else {
        echo "Error: {$resultado['mensaje']}";
    }
}

Directory Structure

project-root/
└── uploads/
    └── perfiles/
        ├── perfil_1_1718123456.jpg
        ├── perfil_2_1718123789.png
        └── perfil_5_1718124000.jpg

obtener_foto_perfil

Get the file path of a user’s profile photo.
conexion
PDO
required
Database connection object
id_usuario
int
required
User ID
return
string|null
Relative path to photo file, or null if no photo exists

Code Example

$foto = obtener_foto_perfil($conexion, $_SESSION['user_id']);

if ($foto) {
    echo "<img src='{$foto}' alt='Foto de perfil'>";
} else {
    echo "<img src='img/default-avatar.png' alt='Avatar por defecto'>";
}

eliminar_foto_perfil

Delete a user’s profile photo from database and filesystem.
conexion
PDO
required
Database connection object
id_usuario
int
required
User ID
return
array
Result:
  • exito (bool) - Success status
  • mensaje (string) - Result message

Process

  1. Gets current photo path from database
  2. Deletes physical file from filesystem
  3. Sets foto_perfil column to NULL in database
  4. Returns result

Code Example

if (isset($_POST['eliminar_foto'])) {
    $resultado = eliminar_foto_perfil($conexion, $_SESSION['user_id']);
    
    if ($resultado['exito']) {
        echo $resultado['mensaje'];  // "Foto eliminada correctamente"
    } else {
        echo "Error: {$resultado['mensaje']}";
    }
}

Complete Profile Photo Workflow

// HTML form
echo '<form method="POST" enctype="multipart/form-data">';
echo '  <input type="file" name="foto_perfil" accept="image/*">';
echo '  <button type="submit" name="subir">Subir foto</button>';
echo '  <button type="submit" name="eliminar">Eliminar foto</button>';
echo '</form>';

// Processing
if (isset($_POST['subir']) && isset($_FILES['foto_perfil'])) {
    $resultado = subir_foto_perfil(
        $conexion,
        $_SESSION['user_id'],
        $_FILES['foto_perfil']
    );
    
    if ($resultado['exito']) {
        $_SESSION['foto_perfil'] = $resultado['ruta'];
    }
    echo $resultado['mensaje'];
}

if (isset($_POST['eliminar'])) {
    $resultado = eliminar_foto_perfil($conexion, $_SESSION['user_id']);
    if ($resultado['exito']) {
        unset($_SESSION['foto_perfil']);
    }
    echo $resultado['mensaje'];
}

// Display current photo
$foto = obtener_foto_perfil($conexion, $_SESSION['user_id']);
if ($foto) {
    echo "<img src='{$foto}' class='profile-photo'>";
} else {
    echo "<div class='no-photo'>Sin foto</div>";
}

Security Best Practices

Image Upload Security:
  • Always validate file type with both MIME and extension checks
  • Use getimagesize() to verify it’s a real image
  • Generate unique filenames to prevent overwrites
  • Store uploads outside web root when possible
  • Limit file sizes to prevent DoS attacks
  • Set proper directory permissions (0755)
Data Sanitization:
  • Sanitize ALL user input before display
  • Use prepared statements for SQL queries (already implemented in all database functions)
  • Apply sanitize_input() to form data, URL parameters, and any external data
  • Remember: sanitization is for output, not storage