FUDforum: comp.lang.php » Sanitizing user input

Home » Imported messages » comp.lang.php » Sanitizing user input

Show: Today's Messages :: Polls :: Message Navigator

Re: Sanitizing user input [message #169749 is a reply to message #169727]

Fri, 24 September 2010 15:24

MikeB
Messages: 65
Registered: September 2010

Karma:

Member

Helmut Chang wrote:
> Am 24.09.2010 07:42, schrieb MikeB:
>> I'm reading that it is a "good idea" to sanitize all data returned in a
>> HTML form. The book recommends using the mysql_real_escape_string()
>> function as well as stripslashes() and for some data it also recommends
>> using htmlentities().
>
> Doesn't the book tell, in which context to use those functions?

It does, but I was thinking that I may have to use the SQL routine even
perhaps when I'm not connected to the database.

>
> mysql_real_escape_string() is used to sanitize data that's used in
> queries against a *mysql* database. There are similar functions in each
> database module in PHP (because different RDBMS need different escaping).
>
> stripslashes() is a relict from early PHP days. It removes escaping
> slashes, that where/are automagically added in GET/POST/... data when
> <http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc>
> is on.

So this I should not use? Never?

My book has the sample as:

if (get_magic_quotes_gpc()($string=stripslashes($string));

copied from text, so there may be a typo. :)

That should be fine, right?

>
> htmlentities() sanitizes data that's used for HTML output.

This one is good to prevent cross scripting exploits, I believe.
>
> And then, there are urlencode() and rawurlencode() to sanitize data,
> that's used as part of URLs, that appear in the output.

That one I've not come across yet, I can guess what it does, but I'll
look into it a bit more.

>
> And so on... ;)
>
> Each context needs other characters escaped/sanitized and in a different
> way. Look up those functions in the manual and read, what they do.
>
> And here some examples, what might happen, if you don't sanitize the data:
>

<snip>

Yes, that same example I've seen, either in my book or in the php.net
section on SQL injection exploits. Thanks, though.

>
<snip>
>
> Hope, you get an idea, what to escape in the different contexts.
>

You guys are very helpful. Thanks.

Report message to a moderator

[Message index]

		Sanitizing user input By: MikeB on Fri, 24 September 2010 05:42
		Re: Sanitizing user input By: Helmut Chang on Fri, 24 September 2010 07:59
		Re: Sanitizing user input By: MikeB on Fri, 24 September 2010 15:24
		Re: Sanitizing user input By: Web Dreamer on Tue, 28 September 2010 10:11
		Re: Sanitizing user input By: Jerry Stuckle on Tue, 28 September 2010 11:21
		Re: Sanitizing user input By: Web Dreamer on Tue, 28 September 2010 13:14
		Re: Sanitizing user input By: Jerry Stuckle on Tue, 28 September 2010 15:14
		Re: Sanitizing user input By: Michael Fesser on Tue, 28 September 2010 16:24
		Re: Sanitizing user input By: Jerry Stuckle on Tue, 28 September 2010 22:35
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 08:01
		Re: Sanitizing user input By: Jerry Stuckle on Wed, 29 September 2010 10:57
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 13:47
		Re: Sanitizing user input By: Jerry Stuckle on Wed, 29 September 2010 16:21
		Re: Sanitizing user input By: Web Dreamer on Thu, 30 September 2010 07:44
		Re: Sanitizing user input By: Jerry Stuckle on Thu, 30 September 2010 12:32
		Re: Sanitizing user input By: Web Dreamer on Thu, 30 September 2010 12:51
		Re: Sanitizing user input By: Web Dreamer on Tue, 28 September 2010 16:37
		Re: Sanitizing user input By: Jerry Stuckle on Tue, 28 September 2010 22:34
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 07:54
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 08:02
		Re: Sanitizing user input By: Jerry Stuckle on Wed, 29 September 2010 11:01
		Re: Sanitizing user input By: Web Dreamer on Wed, 29 September 2010 13:15
		Re: Sanitizing user input By: Jerry Stuckle on Wed, 29 September 2010 16:22
		Re: Sanitizing user input By: Web Dreamer on Thu, 30 September 2010 07:47
		Re: Sanitizing user input By: Jerry Stuckle on Thu, 30 September 2010 12:35
		Re: Sanitizing user input By: Web Dreamer on Thu, 30 September 2010 12:57
		Re: Sanitizing user input By: alvaro.NOSPAMTHANX on Fri, 24 September 2010 08:15
		Re: Sanitizing user input By: MikeB on Fri, 24 September 2010 15:06
		Re: Sanitizing user input By: Michael Fesser on Fri, 24 September 2010 17:12

Previous Topic:	how to write a wsdl for php webservice?
Next Topic:	ANNOUNCE - NHI1 / PLMK / libmsgque - Work-Package-II

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sat Nov 23 18:33:09 GMT 2024

Total time taken to generate the page: 0.04253 seconds