Page 1 of 1

How to 'clean' data for security purposes

Posted: Fri Jun 25, 2004 8:31 pm
by dardsemail
A while back I posted some code regarding adding and deleting items from a database and someone mentioned the necessity of 'cleaning' the variables before using them.

I've tried doing something along the lines of:

$var = clean($var);

but to no avail. How do I go about cleaning a variable to ensure that it isn't some bogus variable entered by a user. I'm speaking particularly of variables that are passed through a URL.

Thanks!

Posted: Fri Jun 25, 2004 8:34 pm
by qads
here are some [google]sql injection tutorial[/google]s.

Posted: Mon Jun 28, 2004 9:21 pm
by dardsemail
I guess my biggest question is whether or not the clean function is supported any longer since it doesn't seem to be working for me. I can't seem to find anything to answer my question.

Posted: Mon Jun 28, 2004 11:51 pm
by d3ad1ysp0rk
You can always use:

Code: Select all

$var = '';

Re: How to 'clean' data for security purposes

Posted: Tue Jun 29, 2004 6:32 am
by PAW Projects
dardsemail wrote:How do I go about cleaning a variable to ensure that it isn't some bogus variable entered by a user. I'm speaking particularly of variables that are passed through a URL.

Thanks!
First of all, make sure those variables passed through a URL are checked independently.
You don't want to be inserting user-modifyable data straight into a database query.

For instance, check if numbers are indeed numbers with [php_man]is_numeric[/php_man].
And use ([php_man]mysql_escape_string[/php_man]).

Posted: Tue Jun 29, 2004 9:59 am
by qads
can use [php_man]addslashes[/php_man] aswell, when outputing, use [php_man]stripslashes[/php_man] to remove them.

Posted: Tue Jun 29, 2004 11:21 am
by dardsemail
thanks - i'll give it a shot...