Page 1 of 1
php +clean user input
Posted: Sun Sep 10, 2006 7:47 pm
by bob_the _builder
Hi,
Is the following enough to clean user input before inserting into db:
Code: Select all
$field = mysql_real_escape_string(trim(strip_tags($_POST['field'])));
To my knowladge trim doesnt take away spaces between words in a paragraph?
Also whats the best way to clean any data sent across the url like below?
Code: Select all
index.php?action=user&user_id='.$_SESSION['user_id'].'
Thanks
Re: php +clean user input
Posted: Sun Sep 10, 2006 9:23 pm
by feyd
bob_the _builder wrote:Hi,
Is the following enough to clean user input before inserting into db:
Code: Select all
$field = mysql_real_escape_string(trim(strip_tags($_POST['field'])));
Depending on what you're doing and your server settings, it can be.
bob_the _builder wrote:To my knowladge trim doesnt take away spaces between words in a paragraph?
Why not test that theory?
bob_the _builder wrote:Also whats the best way to clean any data sent across the url like below?
Code: Select all
index.php?action=user&user_id='.$_SESSION['user_id'].'
That would depend on your server settings.
stripslashes() may be needed. But that only brings the data back to a central level. After that you need to add validation and verification specific to each piece of data.
Posted: Sun Sep 10, 2006 10:00 pm
by bob_the _builder
Hi,
thanks, but im not clear at all how to clean:
Code: Select all
index.php?action=user&user_id='.$_SESSION['user_id'].'
from sql injections etc etc .. I guess something should be done other than stripslashes to make the query safe?
Thanks
Posted: Sun Sep 10, 2006 10:08 pm
by feyd
Many databases have specific escapement requirements, so it's hard to say, but I guess I can assume you're using MySQL. In which case, you already have the function name above. However that only makes it potentially injection safe. However it does not protect you from using unexpected data in your queries. That is what validation and verification is for. What that specifically means varies on what you're specific data you are dealing with. If you're expecing numbers, make sure it's a number and so forth.
Posted: Sun Sep 10, 2006 10:37 pm
by bob_the _builder
so something like:
Code: Select all
$field = mysql_real_escape_string(trim(strip_tags($_POST['field'])));
if (is_numeric($field)) {
// continue with query
}else{
echo "Nice Try";
}
or maybe a function:
Code: Select all
function validate($value) {
if (!is_numeric($value)) {
$value = mysql_real_escape_string(trim(strip_tags($value)));
}
return $value;
}
$user = validate($_POST['field']);
Thanks