| Re: BB type posting - is this secure? [message #176404 is a reply to message #176403] |
Sun, 01 January 2012 18:20   |
M. Strobel
Messages: 386
Registered: December 2011
Karma:
|
Senior Member |
|
|
> so here is how you filter input data:
>
> 1. use filter_var or other method of removing any unwanted input (for
> example if you expect a number then filter out any other characters except
> 0123456789, easily done with filter_var)
> 2. use pdo / parametrized statements to insert data into database for
> additional security and to avoid sql injection
> 3. when displaying this data back on console use htmlentities to correcly
> print < > into < > etc.
>
> and that is all there is to it.
This is it: on input to script, on input to database, and on
output to browser. I might add to
1. use your own filter function on form input, in case you have
to adjust it. A length limit on input strings might be useful.
3. If you use Smarty (or the like) you do it in your template,
and don't clutter your code.
/Str.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]