FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.
Home » Imported messages » comp.lang.php » Sanitising input
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Sanitising input [message #172112 is a reply to message #172089] Mon, 31 January 2011 01:17 Go to previous messageGo to previous message
Norman Peelman is currently offline  Norman Peelman
Messages: 126
Registered: September 2010
Karma:
Senior Member
Denis McMahon wrote:
> On 30/01/11 14:09, Mad Hatter wrote:
>
>> I'm writing a simple script which will take a users input, save it to a
>> mysql database and then display it. I'm going to use htmlentities() to
>> clean things up which I hope will stop basic attacks but how else should I
>> sanitise my input?
>
> strings - use mysql_real_escape_string before using the string value as
> data in an sql statement, eg:
>
> $the_text = $_POST['text_field'];
> $the_text = trim($the_text);
> $the_text = str_replace($old,$new,$the_text);
> // maybe do some additional stuff to $the_text here
> $safe_text = mysql_real_escape_string($the_text);
> $qry = "update table set field = '$safe_text' where otherfield = '$keyval'";
> mysql_query($qry);
>
> floats and ints, use floatval or intval to read them from the post or
> get array:
>
> $the_float = floatval($_POST['number_field']);
> $the_int = inttval($_POST['number_field']);
>
> dates & times, if you allow these to be entered as text fields, you
> might get meaningful data with parse_date or strtotime, but it might be
> better to use numbers and handle them as ints, or select elements.
>
> Note that you can absolutely never assume that the data you receive will
> bear any connection with your web page. It is trivial for an attacker to
> view your form html, and to generate his own form that calls your form
> handler with whatever data he desires to send in every form element.
>
> The fact that your select element for year has values from "2001" to
> "2020" doesn't stop an attacker sending:
>
> "';;drop *;;"
>

To the best of my knowledge, the PHP/MySQL library doesn't allow more
than one sql statement in the same query.


> or a base 64 encoded image file, or anything else at all, so you need to
> write your scripts so that they check everything and only accept data
> that they recognise.
>
> Rgds
>
> Denis McMahon


--
Norman
Registered Linux user #461062
-Have you been to www.php.net yet?-

Report message to a moderator

[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Only SPAM!!!
Next Topic: What *tasks* are hard for PHP?
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Fri Sep 20 13:41:53 GMT 2024

Total time taken to generate the page: 0.04516 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.1.3.
Copyright ©2001-2023 FUDforum Bulletin Board Software