FUDforum: comp.lang.php » Sanitising input

Home » Imported messages » comp.lang.php » Sanitising input

Show: Today's Messages :: Polls :: Message Navigator

Re: Sanitising input [message #172103 is a reply to message #172102]

Sun, 30 January 2011 21:50

Jerry Stuckle
Messages: 2598
Registered: September 2010

Karma:

Senior Member

On 1/30/2011 4:39 PM, Ross McKay wrote:
> On Sun, 30 Jan 2011 14:09:11 +0000, Mad Hatter wrote:
>
>> I'm writing a simple script which will take a users input, save it to a
>> mysql database and then display it. I'm going to use htmlentities() to
>> clean things up which I hope will stop basic attacks but how else should I
>> sanitise my input?
>
> For databases, your best bet is the advice on this website:
>
> http://bobby-tables.com/
>
> "There is only one way to avoid Bobby Tables attacks
>
> * Do not create SQL statements that include outside data.
> * Use parameterized SQL calls.
>
> That's it. Don't try to escape invalid characters. Don't try to do it
> yourself. Learn how to use parameterized statements. Always, every
> single time."
>
> See http://bobby-tables.com/php.html for PHP instructions. My preference
> is PDO with bindValue(), YYMV.
>
> Also, you may prefer the lighter htmlspecialchars() to htmlentities() if
> your output is UTF-8 (which it should be):
>
> http://au2.php.net/manual/en/function.htmlspecialchars.php

No, that is not the "only way".

First of all, it is necessary to include outside data. How, for
instance, are you going to get the customer's name if you don't allow
outside data?

And properly escaping strings protects against attacks just as well as
using parameterized statements does.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================

Report message to a moderator

[Message index]

		Sanitising input By: Mad Hatter on Sun, 30 January 2011 14:09
		Re: Sanitising input By: Michael Fesser on Sun, 30 January 2011 15:00
		Re: Sanitising input By: Denis McMahon on Sun, 30 January 2011 16:35
		Re: Sanitising input By: Norman Peelman on Mon, 31 January 2011 01:17
		Re: Sanitising input By: Captain Paralytic on Mon, 31 January 2011 11:51
		Re: Sanitising input By: Norman Peelman on Mon, 31 January 2011 23:39
		Re: Sanitising input By: Denis McMahon on Tue, 01 February 2011 00:53
		Re: Sanitising input By: Norman Peelman on Tue, 01 February 2011 11:26
		Re: Sanitising input By: Denis McMahon on Mon, 31 January 2011 12:05
		Re: Sanitising input By: P E Schoen on Sun, 30 January 2011 19:47
		Re: Sanitising input By: Felix Saphir on Sun, 30 January 2011 19:55
		Re: Sanitising input By: Ross McKay on Sun, 30 January 2011 21:39
		Re: Sanitising input By: Jerry Stuckle on Sun, 30 January 2011 21:50
		Re: Sanitising input By: Ross McKay on Mon, 31 January 2011 03:43
		Re: Sanitising input By: Jerry Stuckle on Mon, 31 January 2011 04:12
		Re: Sanitising input By: Ross McKay on Mon, 31 January 2011 05:01
		Re: Sanitising input By: Jerry Stuckle on Mon, 31 January 2011 05:10
		Re: Sanitising input By: Ross McKay on Mon, 31 January 2011 05:38
		Re: Sanitising input By: Jerry Stuckle on Mon, 31 January 2011 12:51
		Re: Sanitising input By: Sherm Pendley on Sun, 30 January 2011 22:18
		Re: Sanitising input By: Ross McKay on Mon, 31 January 2011 03:52
		Re: Sanitising input By: Sherm Pendley on Mon, 31 January 2011 05:23

Previous Topic:	Only SPAM!!!
Next Topic:	What tasks are hard for PHP?

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Fri Sep 20 15:43:34 GMT 2024

Total time taken to generate the page: 0.05001 seconds