Page 1 of 1
How to 'clean' data for security purposes
Posted: Fri Jun 25, 2004 8:31 pm
by dardsemail
A while back I posted some code regarding adding and deleting items from a database and someone mentioned the necessity of 'cleaning' the variables before using them.
I've tried doing something along the lines of:
$var = clean($var);
but to no avail. How do I go about cleaning a variable to ensure that it isn't some bogus variable entered by a user. I'm speaking particularly of variables that are passed through a URL.
Thanks!
Posted: Fri Jun 25, 2004 8:34 pm
by qads
here are some [google]sql injection tutorial[/google]s.
Posted: Mon Jun 28, 2004 9:21 pm
by dardsemail
I guess my biggest question is whether or not the clean function is supported any longer since it doesn't seem to be working for me. I can't seem to find anything to answer my question.
Posted: Mon Jun 28, 2004 11:51 pm
by d3ad1ysp0rk
Re: How to 'clean' data for security purposes
Posted: Tue Jun 29, 2004 6:32 am
by PAW Projects
dardsemail wrote:How do I go about cleaning a variable to ensure that it isn't some bogus variable entered by a user. I'm speaking particularly of variables that are passed through a URL.
Thanks!
First of all, make sure those variables passed through a URL are checked independently.
You don't want to be inserting user-modifyable data straight into a database query.
For instance, check if numbers are indeed numbers with [php_man]is_numeric[/php_man].
And use ([php_man]mysql_escape_string[/php_man]).
Posted: Tue Jun 29, 2004 9:59 am
by qads
can use [php_man]addslashes[/php_man] aswell, when outputing, use [php_man]stripslashes[/php_man] to remove them.
Posted: Tue Jun 29, 2004 11:21 am
by dardsemail
thanks - i'll give it a shot...