php +clean user input

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
bob_the _builder
Forum Contributor
Posts: 131
Joined: Sat Aug 28, 2004 12:25 am

php +clean user input

Post by bob_the _builder »

Hi,

Is the following enough to clean user input before inserting into db:

Code: Select all

$field = mysql_real_escape_string(trim(strip_tags($_POST['field'])));
To my knowladge trim doesnt take away spaces between words in a paragraph?


Also whats the best way to clean any data sent across the url like below?

Code: Select all

index.php?action=user&user_id='.$_SESSION['user_id'].'


Thanks
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Re: php +clean user input

Post by feyd »

bob_the _builder wrote:Hi,

Is the following enough to clean user input before inserting into db:

Code: Select all

$field = mysql_real_escape_string(trim(strip_tags($_POST['field'])));
Depending on what you're doing and your server settings, it can be.
bob_the _builder wrote:To my knowladge trim doesnt take away spaces between words in a paragraph?
Why not test that theory?
bob_the _builder wrote:Also whats the best way to clean any data sent across the url like below?

Code: Select all

index.php?action=user&user_id='.$_SESSION['user_id'].'
That would depend on your server settings. stripslashes() may be needed. But that only brings the data back to a central level. After that you need to add validation and verification specific to each piece of data.
bob_the _builder
Forum Contributor
Posts: 131
Joined: Sat Aug 28, 2004 12:25 am

Post by bob_the _builder »

Hi,

thanks, but im not clear at all how to clean:

Code: Select all

index.php?action=user&user_id='.$_SESSION['user_id'].'
from sql injections etc etc .. I guess something should be done other than stripslashes to make the query safe?


Thanks
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Many databases have specific escapement requirements, so it's hard to say, but I guess I can assume you're using MySQL. In which case, you already have the function name above. However that only makes it potentially injection safe. However it does not protect you from using unexpected data in your queries. That is what validation and verification is for. What that specifically means varies on what you're specific data you are dealing with. If you're expecing numbers, make sure it's a number and so forth.
bob_the _builder
Forum Contributor
Posts: 131
Joined: Sat Aug 28, 2004 12:25 am

Post by bob_the _builder »

so something like:

Code: Select all

$field = mysql_real_escape_string(trim(strip_tags($_POST['field'])));

if (is_numeric($field)) {

// continue with query

}else{

echo "Nice Try";

}

or maybe a function:

Code: Select all

function validate($value) {

if (!is_numeric($value)) {
	$value = mysql_real_escape_string(trim(strip_tags($value)));
}
	return $value;
} 

$user = validate($_POST['field']);

Thanks
Post Reply