FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Sanitising input
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Sanitising input [message #172103 is a reply to message #172102] Sun, 30 January 2011 21:50 Go to previous messageGo to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 1/30/2011 4:39 PM, Ross McKay wrote:
> On Sun, 30 Jan 2011 14:09:11 +0000, Mad Hatter wrote:
>
>> I'm writing a simple script which will take a users input, save it to a
>> mysql database and then display it. I'm going to use htmlentities() to
>> clean things up which I hope will stop basic attacks but how else should I
>> sanitise my input?
>
> For databases, your best bet is the advice on this website:
>
> http://bobby-tables.com/
>
> "There is only one way to avoid Bobby Tables attacks
>
> * Do not create SQL statements that include outside data.
> * Use parameterized SQL calls.
>
> That's it. Don't try to escape invalid characters. Don't try to do it
> yourself. Learn how to use parameterized statements. Always, every
> single time."
>
> See http://bobby-tables.com/php.html for PHP instructions. My preference
> is PDO with bindValue(), YYMV.
>
> Also, you may prefer the lighter htmlspecialchars() to htmlentities() if
> your output is UTF-8 (which it should be):
>
> http://au2.php.net/manual/en/function.htmlspecialchars.php

No, that is not the "only way".

First of all, it is necessary to include outside data. How, for
instance, are you going to get the customer's name if you don't allow
outside data?

And properly escaping strings protects against attacks just as well as
using parameterized statements does.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Only SPAM!!!
Next Topic: What *tasks* are hard for PHP?
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 01:18:08 GMT 2024

Total time taken to generate the page: 0.04837 seconds