FUDforum: comp.lang.php » Sanitising input

Home » Imported messages » comp.lang.php » Sanitising input

Show: Today's Messages :: Polls :: Message Navigator

Re: Sanitising input [message #172102 is a reply to message #172084]

Sun, 30 January 2011 21:39

Ross McKay
Messages: 14
Registered: January 2011

Karma:

Junior Member

On Sun, 30 Jan 2011 14:09:11 +0000, Mad Hatter wrote:

> I'm writing a simple script which will take a users input, save it to a
> mysql database and then display it. I'm going to use htmlentities() to
> clean things up which I hope will stop basic attacks but how else should I
> sanitise my input?

For databases, your best bet is the advice on this website:

http://bobby-tables.com/

"There is only one way to avoid Bobby Tables attacks

* Do not create SQL statements that include outside data.
* Use parameterized SQL calls.

That's it. Don't try to escape invalid characters. Don't try to do it
yourself. Learn how to use parameterized statements. Always, every
single time."

See http://bobby-tables.com/php.html for PHP instructions. My preference
is PDO with bindValue(), YYMV.

Also, you may prefer the lighter htmlspecialchars() to htmlentities() if
your output is UTF-8 (which it should be):

http://au2.php.net/manual/en/function.htmlspecialchars.php
--
Ross McKay, Toronto, NSW Australia
"Let the laddie play wi the knife - he'll learn"
- The Wee Book of Calvin

Report message to a moderator

[Message index]

		Sanitising input By: Mad Hatter on Sun, 30 January 2011 14:09
		Re: Sanitising input By: Michael Fesser on Sun, 30 January 2011 15:00
		Re: Sanitising input By: Denis McMahon on Sun, 30 January 2011 16:35
		Re: Sanitising input By: Norman Peelman on Mon, 31 January 2011 01:17
		Re: Sanitising input By: Captain Paralytic on Mon, 31 January 2011 11:51
		Re: Sanitising input By: Norman Peelman on Mon, 31 January 2011 23:39
		Re: Sanitising input By: Denis McMahon on Tue, 01 February 2011 00:53
		Re: Sanitising input By: Norman Peelman on Tue, 01 February 2011 11:26
		Re: Sanitising input By: Denis McMahon on Mon, 31 January 2011 12:05
		Re: Sanitising input By: P E Schoen on Sun, 30 January 2011 19:47
		Re: Sanitising input By: Felix Saphir on Sun, 30 January 2011 19:55
		Re: Sanitising input By: Ross McKay on Sun, 30 January 2011 21:39
		Re: Sanitising input By: Jerry Stuckle on Sun, 30 January 2011 21:50
		Re: Sanitising input By: Ross McKay on Mon, 31 January 2011 03:43
		Re: Sanitising input By: Jerry Stuckle on Mon, 31 January 2011 04:12
		Re: Sanitising input By: Ross McKay on Mon, 31 January 2011 05:01
		Re: Sanitising input By: Jerry Stuckle on Mon, 31 January 2011 05:10
		Re: Sanitising input By: Ross McKay on Mon, 31 January 2011 05:38
		Re: Sanitising input By: Jerry Stuckle on Mon, 31 January 2011 12:51
		Re: Sanitising input By: Sherm Pendley on Sun, 30 January 2011 22:18
		Re: Sanitising input By: Ross McKay on Mon, 31 January 2011 03:52
		Re: Sanitising input By: Sherm Pendley on Mon, 31 January 2011 05:23

Previous Topic:	Only SPAM!!!
Next Topic:	What tasks are hard for PHP?

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Fri Sep 20 15:44:22 GMT 2024

Total time taken to generate the page: 0.05079 seconds