FUDforum: comp.lang.php » Sanitising input

Home » Imported messages » comp.lang.php » Sanitising input

Show: Today's Messages :: Polls :: Message Navigator

Re: Sanitising input [message #172089 is a reply to message #172084]

Sun, 30 January 2011 16:35

Denis McMahon
Messages: 634
Registered: September 2010

Karma:

Senior Member

On 30/01/11 14:09, Mad Hatter wrote:

> I'm writing a simple script which will take a users input, save it to a
> mysql database and then display it. I'm going to use htmlentities() to
> clean things up which I hope will stop basic attacks but how else should I
> sanitise my input?

strings - use mysql_real_escape_string before using the string value as
data in an sql statement, eg:

$the_text = $_POST['text_field'];
$the_text = trim($the_text);
$the_text = str_replace($old,$new,$the_text);
// maybe do some additional stuff to $the_text here
$safe_text = mysql_real_escape_string($the_text);
$qry = "update table set field = '$safe_text' where otherfield = '$keyval'";
mysql_query($qry);

floats and ints, use floatval or intval to read them from the post or
get array:

$the_float = floatval($_POST['number_field']);
$the_int = inttval($_POST['number_field']);

dates & times, if you allow these to be entered as text fields, you
might get meaningful data with parse_date or strtotime, but it might be
better to use numbers and handle them as ints, or select elements.

Note that you can absolutely never assume that the data you receive will
bear any connection with your web page. It is trivial for an attacker to
view your form html, and to generate his own form that calls your form
handler with whatever data he desires to send in every form element.

The fact that your select element for year has values from "2001" to
"2020" doesn't stop an attacker sending:

"';;drop *;;"

or a base 64 encoded image file, or anything else at all, so you need to
write your scripts so that they check everything and only accept data
that they recognise.

Rgds

Denis McMahon

Report message to a moderator

[Message index]

		Sanitising input By: Mad Hatter on Sun, 30 January 2011 14:09
		Re: Sanitising input By: Michael Fesser on Sun, 30 January 2011 15:00
		Re: Sanitising input By: Denis McMahon on Sun, 30 January 2011 16:35
		Re: Sanitising input By: Norman Peelman on Mon, 31 January 2011 01:17
		Re: Sanitising input By: Captain Paralytic on Mon, 31 January 2011 11:51
		Re: Sanitising input By: Norman Peelman on Mon, 31 January 2011 23:39
		Re: Sanitising input By: Denis McMahon on Tue, 01 February 2011 00:53
		Re: Sanitising input By: Norman Peelman on Tue, 01 February 2011 11:26
		Re: Sanitising input By: Denis McMahon on Mon, 31 January 2011 12:05
		Re: Sanitising input By: P E Schoen on Sun, 30 January 2011 19:47
		Re: Sanitising input By: Felix Saphir on Sun, 30 January 2011 19:55
		Re: Sanitising input By: Ross McKay on Sun, 30 January 2011 21:39
		Re: Sanitising input By: Jerry Stuckle on Sun, 30 January 2011 21:50
		Re: Sanitising input By: Ross McKay on Mon, 31 January 2011 03:43
		Re: Sanitising input By: Jerry Stuckle on Mon, 31 January 2011 04:12
		Re: Sanitising input By: Ross McKay on Mon, 31 January 2011 05:01
		Re: Sanitising input By: Jerry Stuckle on Mon, 31 January 2011 05:10
		Re: Sanitising input By: Ross McKay on Mon, 31 January 2011 05:38
		Re: Sanitising input By: Jerry Stuckle on Mon, 31 January 2011 12:51
		Re: Sanitising input By: Sherm Pendley on Sun, 30 January 2011 22:18
		Re: Sanitising input By: Ross McKay on Mon, 31 January 2011 03:52
		Re: Sanitising input By: Sherm Pendley on Mon, 31 January 2011 05:23

Previous Topic:	Only SPAM!!!
Next Topic:	What tasks are hard for PHP?

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Fri Sep 20 13:24:30 GMT 2024

Total time taken to generate the page: 0.06489 seconds