How to implement escaping in code for input form pages
Moderator: General Moderators
-
hallidayny
- Forum Newbie
- Posts: 3
- Joined: Sun Nov 20, 2011 12:46 pm
How to implement escaping in code for input form pages
Good day, and thank you in advance for all of you brilliant and experienced programmers that can help me. I build websites for very small clients... some have things like event calendars with user registrations for the event. So, I am getting warnings for SQL injection errors, and most of my dreamweaver extensions do not include any security except the (get_real_escape...) tag on the main event registration form. I have gone to the cheat sheet for escaping characters, but I really do not know where to include this code in my input forms. Syntax? Proper ordering? Will it disable other functions on the page? Thanks so much for your help.
Re: How to implement escaping in code for input form pages
Well, what have you tried? Show us some code and we can better offer pointers. Here's pointer #1: get a proper IDE.
-
hallidayny
- Forum Newbie
- Posts: 3
- Joined: Sun Nov 20, 2011 12:46 pm
Re: How to implement escaping in code for input form pages
Hi - Thanks. That is a great idea. For the moment, though, I am just a designer using Dreamweaver and extensions.
Re: How to implement escaping in code for input form pages
For the following, when I say "data", I am referring to information that came from a form, passed via QueryString and/or previous data loaded back in from a database (Edit: and the other things listed in my last line below)
I keep Data in variables to always be the "raw" data (nothing escaped, converted to entities, etc)
For putting data into the database, use mysql_real_escape_string() (or prepared statements via PDO) *Note*, if it is a value going to a field that only holds integers, I will generally use (int) in front of it to force PHP to treat the data as an integer. ex.
For displaying the data on the website (or to be used in a form's value="" attribute), use htmlspecialchars()
For using data as part of a querystring in a link, use urlencode
Remember the golden rule for handling data with PHP: NEVER trust anything that comes from the client. Examples: $_POST, $_GET, $_COOKIE, $_SERVER['HTTP_REFERER'], $_SERVER['PHP_SELF'], $_SERVER['HTTP_USER_AGENT']
I keep Data in variables to always be the "raw" data (nothing escaped, converted to entities, etc)
For putting data into the database, use mysql_real_escape_string() (or prepared statements via PDO) *Note*, if it is a value going to a field that only holds integers, I will generally use (int) in front of it to force PHP to treat the data as an integer. ex.
Code: Select all
$intPK = (isset($_GET['pk']) ? (int)$_GET['pk'] : 0;For using data as part of a querystring in a link, use urlencode
Remember the golden rule for handling data with PHP: NEVER trust anything that comes from the client. Examples: $_POST, $_GET, $_COOKIE, $_SERVER['HTTP_REFERER'], $_SERVER['PHP_SELF'], $_SERVER['HTTP_USER_AGENT']
-
hallidayny
- Forum Newbie
- Posts: 3
- Joined: Sun Nov 20, 2011 12:46 pm
Re: How to implement escaping in code for input form pages
Thank you twin