FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Sanitizing user input
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Sanitizing user input [message #169749 is a reply to message #169727] Fri, 24 September 2010 15:24 Go to previous messageGo to previous message
MikeB is currently offline  MikeB
Messages: 65
Registered: September 2010
Karma:
Member
Helmut Chang wrote:
> Am 24.09.2010 07:42, schrieb MikeB:
>> I'm reading that it is a "good idea" to sanitize all data returned in a
>> HTML form. The book recommends using the mysql_real_escape_string()
>> function as well as stripslashes() and for some data it also recommends
>> using htmlentities().
>
> Doesn't the book tell, in which context to use those functions?

It does, but I was thinking that I may have to use the SQL routine even
perhaps when I'm not connected to the database.

>
> mysql_real_escape_string() is used to sanitize data that's used in
> queries against a *mysql* database. There are similar functions in each
> database module in PHP (because different RDBMS need different escaping).
>
> stripslashes() is a relict from early PHP days. It removes escaping
> slashes, that where/are automagically added in GET/POST/... data when
> <http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc>
> is on.

So this I should not use? Never?

My book has the sample as:

if (get_magic_quotes_gpc()($string=stripslashes($string));

copied from text, so there may be a typo. :)

That should be fine, right?

>
> htmlentities() sanitizes data that's used for HTML output.

This one is good to prevent cross scripting exploits, I believe.
>
> And then, there are urlencode() and rawurlencode() to sanitize data,
> that's used as part of URLs, that appear in the output.

That one I've not come across yet, I can guess what it does, but I'll
look into it a bit more.

>
> And so on... ;)
>
> Each context needs other characters escaped/sanitized and in a different
> way. Look up those functions in the manual and read, what they do.
>
> And here some examples, what might happen, if you don't sanitize the data:
>

<snip>

Yes, that same example I've seen, either in my book or in the php.net
section on SQL injection exploits. Thanks, though.

>
<snip>
>
> Hope, you get an idea, what to escape in the different contexts.
>

You guys are very helpful. Thanks.
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: how to write a wsdl for php webservice?
Next Topic: ANNOUNCE - NHI1 / PLMK / libmsgque - Work-Package-II
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 13:28:57 GMT 2024

Total time taken to generate the page: 0.04256 seconds