FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Sanitizing user input
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Sanitizing user input [message #169728 is a reply to message #169724] Fri, 24 September 2010 08:15 Go to previous messageGo to previous message
alvaro.NOSPAMTHANX is currently offline  alvaro.NOSPAMTHANX
Messages: 277
Registered: September 2010
Karma:
Senior Member
El 24/09/2010 7:42, MikeB escribió/wrote:
> I'm reading that it is a "good idea" to sanitize all data returned in a
> HTML form.

In general:

- You must sanitize any input you didn't generate yourself.
- You must escape properly everything you insert into a string, even if
you generated it yourself.

> The book recommends using the mysql_real_escape_string()
> function as well as stripslashes() and for some data it also recommends
> using htmlentities().

You should never use stripslashes() unless you have a very old server
that is configured to add slashes to your data:

http://es2.php.net/manual/en/security.magicquotes.php

As about htmlentities(), I don't think it's worth using it. It makes
your HTML grow in size will lots of useless entities (é -> é) but
it cannot really escape all the stuff that needs to be escaped (such as
high-pane Unicode characters). And it's not even aware of the output
charset.

> Question now is that the mysql function is only available if I'm
> connected to a mysql database.
>
> Is the mysql sanitizing only necessary for data fields that are going to
> be used against the database? Or is there a similar function to sanitize
> user data that may not be used as part of the sql data?

The name says it all: it's a function to escape stuff for MySQL when you
are using the MySQL extension. It server no other purpose.

If you use PostgreSQL, you must use the PostgreSQL escaping methods. If
you use PDO you must use the PDO escaping methods.

Furthermore:

- If you are generating HTML you must escape the HTML way, e.g.
htmlspecialchars()
- If you are generating JSON you must escape the JSON way, e.g.
json_encode()
- Etc, etc.

It's nice you care about this. Even most PHP books ignore the subject :)

--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: how to write a wsdl for php webservice?
Next Topic: ANNOUNCE - NHI1 / PLMK / libmsgque - Work-Package-II
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 15:12:05 GMT 2024

Total time taken to generate the page: 0.04646 seconds