How to implement escaping in code for input form pages

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
hallidayny
Forum Newbie
Posts: 3
Joined: Sun Nov 20, 2011 12:46 pm

How to implement escaping in code for input form pages

Post by hallidayny »

Good day, and thank you in advance for all of you brilliant and experienced programmers that can help me. I build websites for very small clients... some have things like event calendars with user registrations for the event. So, I am getting warnings for SQL injection errors, and most of my dreamweaver extensions do not include any security except the (get_real_escape...) tag on the main event registration form. I have gone to the cheat sheet for escaping characters, but I really do not know where to include this code in my input forms. Syntax? Proper ordering? Will it disable other functions on the page? Thanks so much for your help.
User avatar
Celauran
Moderator
Posts: 6425
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: How to implement escaping in code for input form pages

Post by Celauran »

Well, what have you tried? Show us some code and we can better offer pointers. Here's pointer #1: get a proper IDE.
hallidayny
Forum Newbie
Posts: 3
Joined: Sun Nov 20, 2011 12:46 pm

Re: How to implement escaping in code for input form pages

Post by hallidayny »

Hi - Thanks. That is a great idea. For the moment, though, I am just a designer using Dreamweaver and extensions.
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: How to implement escaping in code for input form pages

Post by twinedev »

For the following, when I say "data", I am referring to information that came from a form, passed via QueryString and/or previous data loaded back in from a database (Edit: and the other things listed in my last line below)

I keep Data in variables to always be the "raw" data (nothing escaped, converted to entities, etc)

For putting data into the database, use mysql_real_escape_string() (or prepared statements via PDO) *Note*, if it is a value going to a field that only holds integers, I will generally use (int) in front of it to force PHP to treat the data as an integer. ex.

Code: Select all

$intPK = (isset($_GET['pk']) ? (int)$_GET['pk'] : 0;
For displaying the data on the website (or to be used in a form's value="" attribute), use htmlspecialchars()

For using data as part of a querystring in a link, use urlencode

Remember the golden rule for handling data with PHP: NEVER trust anything that comes from the client. Examples: $_POST, $_GET, $_COOKIE, $_SERVER['HTTP_REFERER'], $_SERVER['PHP_SELF'], $_SERVER['HTTP_USER_AGENT']
hallidayny
Forum Newbie
Posts: 3
Joined: Sun Nov 20, 2011 12:46 pm

Re: How to implement escaping in code for input form pages

Post by hallidayny »

Thank you twin
Post Reply