How to 'clean' data for security purposes

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
dardsemail
Forum Contributor
Posts: 136
Joined: Thu Jun 03, 2004 9:02 pm

How to 'clean' data for security purposes

Post by dardsemail »

A while back I posted some code regarding adding and deleting items from a database and someone mentioned the necessity of 'cleaning' the variables before using them.

I've tried doing something along the lines of:

$var = clean($var);

but to no avail. How do I go about cleaning a variable to ensure that it isn't some bogus variable entered by a user. I'm speaking particularly of variables that are passed through a URL.

Thanks!
qads
DevNet Resident
Posts: 1199
Joined: Tue Apr 23, 2002 10:02 am
Location: Brisbane

Post by qads »

here are some [google]sql injection tutorial[/google]s.
dardsemail
Forum Contributor
Posts: 136
Joined: Thu Jun 03, 2004 9:02 pm

Post by dardsemail »

I guess my biggest question is whether or not the clean function is supported any longer since it doesn't seem to be working for me. I can't seem to find anything to answer my question.
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

You can always use:

Code: Select all

$var = '';
PAW Projects
Forum Commoner
Posts: 30
Joined: Tue Jun 15, 2004 7:43 am
Contact:

Re: How to 'clean' data for security purposes

Post by PAW Projects »

dardsemail wrote:How do I go about cleaning a variable to ensure that it isn't some bogus variable entered by a user. I'm speaking particularly of variables that are passed through a URL.

Thanks!
First of all, make sure those variables passed through a URL are checked independently.
You don't want to be inserting user-modifyable data straight into a database query.

For instance, check if numbers are indeed numbers with [php_man]is_numeric[/php_man].
And use ([php_man]mysql_escape_string[/php_man]).
qads
DevNet Resident
Posts: 1199
Joined: Tue Apr 23, 2002 10:02 am
Location: Brisbane

Post by qads »

can use [php_man]addslashes[/php_man] aswell, when outputing, use [php_man]stripslashes[/php_man] to remove them.
dardsemail
Forum Contributor
Posts: 136
Joined: Thu Jun 03, 2004 9:02 pm

Post by dardsemail »

thanks - i'll give it a shot...
Post Reply