FUDforum: comp.lang.php » Sanitizing user input

Home » Imported messages » comp.lang.php » Sanitizing user input

Show: Today's Messages :: Polls :: Message Navigator

Re: Sanitizing user input [message #169727 is a reply to message #169724]

Fri, 24 September 2010 07:59

Helmut Chang
Messages: 22
Registered: September 2010

Karma:

Junior Member

Am 24.09.2010 07:42, schrieb MikeB:
> I'm reading that it is a "good idea" to sanitize all data returned in a
> HTML form. The book recommends using the mysql_real_escape_string()
> function as well as stripslashes() and for some data it also recommends
> using htmlentities().

Doesn't the book tell, in which context to use those functions?

mysql_real_escape_string() is used to sanitize data that's used in
queries against a *mysql* database. There are similar functions in each
database module in PHP (because different RDBMS need different escaping).

stripslashes() is a relict from early PHP days. It removes escaping
slashes, that where/are automagically added in GET/POST/... data when
<http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc>
is on.

htmlentities() sanitizes data that's used for HTML output.

And then, there are urlencode() and rawurlencode() to sanitize data,
that's used as part of URLs, that appear in the output.

And so on... ;)

Each context needs other characters escaped/sanitized and in a different
way. Look up those functions in the manual and read, what they do.

And here some examples, what might happen, if you don't sanitize the data:

MySQL:

SELECT * FROM user WHERE username = '$username'

$username = "myusername' OR '1' = '1"

Replace $username in the query with the value of $username and see, what
the query looks like...

HTML:

<input value="<?php echo $value; ?>">

$value = '">
<script type="text/javascript">
alert("XSS Attack!");
</script';

Replace the echo statement with the value of $value and see, what the
HTML looks like...

Hope, you get an idea, what to escape in the different contexts.

Helmut

Report message to a moderator

[Message index]

		Sanitizing user input By: MikeB on Fri, 24 September 2010 05:42
		Re: Sanitizing user input By: Helmut Chang on Fri, 24 September 2010 07:59
		Re: Sanitizing user input By: MikeB on Fri, 24 September 2010 15:24
		Re: Sanitizing user input By: Web Dreamer on Tue, 28 September 2010 10:11
		Re: Sanitizing user input By: Jerry Stuckle on Tue, 28 September 2010 11:21
		Re: Sanitizing user input By: Web Dreamer on Tue, 28 September 2010 13:14
		Re: Sanitizing user input By: Jerry Stuckle on Tue, 28 September 2010 15:14
		Re: Sanitizing user input By: Michael Fesser on Tue, 28 September 2010 16:24
		Re: Sanitizing user input By: Jerry Stuckle on Tue, 28 September 2010 22:35
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 08:01
		Re: Sanitizing user input By: Jerry Stuckle on Wed, 29 September 2010 10:57
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 13:47
		Re: Sanitizing user input By: Jerry Stuckle on Wed, 29 September 2010 16:21
		Re: Sanitizing user input By: Web Dreamer on Thu, 30 September 2010 07:44
		Re: Sanitizing user input By: Jerry Stuckle on Thu, 30 September 2010 12:32
		Re: Sanitizing user input By: Web Dreamer on Thu, 30 September 2010 12:51
		Re: Sanitizing user input By: Web Dreamer on Tue, 28 September 2010 16:37
		Re: Sanitizing user input By: Jerry Stuckle on Tue, 28 September 2010 22:34
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 07:54
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 08:02
		Re: Sanitizing user input By: Jerry Stuckle on Wed, 29 September 2010 11:01
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 13:15
		Re: Sanitizing user input By: Jerry Stuckle on Wed, 29 September 2010 16:22
		Re: Sanitizing user input By: Web Dreamer on Thu, 30 September 2010 07:47
		Re: Sanitizing user input By: Jerry Stuckle on Thu, 30 September 2010 12:35
		Re: Sanitizing user input By: Web Dreamer on Thu, 30 September 2010 12:57
		Re: Sanitizing user input By: alvaro.NOSPAMTHANX on Fri, 24 September 2010 08:15
		Re: Sanitizing user input By: MikeB on Fri, 24 September 2010 15:06
		Re: Sanitizing user input By: Michael Fesser on Fri, 24 September 2010 17:12

Previous Topic:	how to write a wsdl for php webservice?
Next Topic:	ANNOUNCE - NHI1 / PLMK / libmsgque - Work-Package-II

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sat Nov 23 20:31:37 GMT 2024

Total time taken to generate the page: 0.15004 seconds