Page 1 of 1
How to implement escaping in code for input form pages
Posted: Sun Nov 20, 2011 1:01 pm
by hallidayny
Good day, and thank you in advance for all of you brilliant and experienced programmers that can help me. I build websites for very small clients... some have things like event calendars with user registrations for the event. So, I am getting warnings for SQL injection errors, and most of my dreamweaver extensions do not include any security except the (get_real_escape...) tag on the main event registration form. I have gone to the cheat sheet for escaping characters, but I really do not know where to include this code in my input forms. Syntax? Proper ordering? Will it disable other functions on the page? Thanks so much for your help.
Re: How to implement escaping in code for input form pages
Posted: Sun Nov 20, 2011 8:57 pm
by Celauran
Well, what have you tried? Show us some code and we can better offer pointers. Here's pointer #1: get a proper IDE.
Re: How to implement escaping in code for input form pages
Posted: Mon Nov 21, 2011 9:43 am
by hallidayny
Hi - Thanks. That is a great idea. For the moment, though, I am just a designer using Dreamweaver and extensions.
Re: How to implement escaping in code for input form pages
Posted: Mon Nov 21, 2011 9:58 am
by twinedev
For the following, when I say "data", I am referring to information that came from a form, passed via QueryString and/or previous data loaded back in from a database (Edit: and the other things listed in my last line below)
I keep Data in variables to always be the "raw" data (nothing escaped, converted to entities, etc)
For putting data into the database, use mysql_real_escape_string() (or prepared statements via PDO) *Note*, if it is a value going to a field that only holds integers, I will generally use (int) in front of it to force PHP to treat the data as an integer. ex.
Code: Select all
$intPK = (isset($_GET['pk']) ? (int)$_GET['pk'] : 0;
For displaying the data on the website (or to be used in a form's value="" attribute), use htmlspecialchars()
For using data as part of a querystring in a link, use urlencode
Remember the golden rule for handling data with PHP: NEVER trust anything that comes from the client. Examples: $_POST, $_GET, $_COOKIE, $_SERVER['HTTP_REFERER'], $_SERVER['PHP_SELF'], $_SERVER['HTTP_USER_AGENT']
Re: How to implement escaping in code for input form pages
Posted: Mon Nov 21, 2011 11:25 am
by hallidayny
Thank you twin