FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Sanitising input
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Sanitising input [message #172127 is a reply to message #172112] Mon, 31 January 2011 12:05 Go to previous messageGo to previous message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma:
Senior Member
On 31/01/11 01:17, Norman Peelman wrote:
> Denis McMahon wrote:
>> On 30/01/11 14:09, Mad Hatter wrote:

>>> I'm writing a simple script which will take a users input, save it to a
>>> mysql database and then display it. I'm going to use htmlentities() to
>>> clean things up which I hope will stop basic attacks but how else
>>> should I
>>> sanitise my input?

>> Note that you can absolutely never assume that the data you receive will
>> bear any connection with your web page. It is trivial for an attacker to
>> view your form html, and to generate his own form that calls your form
>> handler with whatever data he desires to send in every form element.
>>
>> The fact that your select element for year has values from "2001" to
>> "2020" doesn't stop an attacker sending:
>>
>> "';;drop *;;"

> To the best of my knowledge, the PHP/MySQL library doesn't allow more
> than one sql statement in the same query.

Regardless of what eventually gets passed to the database, my points
here are that (a) you can not rely on anything to control the format of
data that your form handler receives; and (b) people will send malicious
data to try and break your website.

Rgds

Denis McMahon
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Only SPAM!!!
Next Topic: What *tasks* are hard for PHP?
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Tue Nov 26 23:47:16 GMT 2024

Total time taken to generate the page: 0.03813 seconds