Tainted User Input

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Bigun
Forum Contributor
Posts: 237
Joined: Tue Jun 13, 2006 10:50 am

Tainted User Input

Post by Bigun »

In some of my input fields I will allow some HTML, other's none... and some could be used with MySQL injection attacks.

Now, my question is this. What is the easiest method to filter user input?

in_array();
!in_array();
someotherfunctionidontknowabout();
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

Bigun
Forum Contributor
Posts: 237
Joined: Tue Jun 13, 2006 10:50 am

Post by Bigun »

Is that link having issues loading with anyone else?
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

me :)
Bigun
Forum Contributor
Posts: 237
Joined: Tue Jun 13, 2006 10:50 am

Post by Bigun »

Working now..

:?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

I find there are two schools of thought on this:

1. Validate input first, error if there are problems, and then filter as necessary. Filtering is simplified.

2. Filter input first, then validate and error if there are problems. Validation is simplified.
(#10850)
basdog22
Forum Contributor
Posts: 158
Joined: Sun Nov 30, 2003 3:03 pm
Location: Greece

Post by basdog22 »

another way is to use a class like XML_HTMLSax. Check on PEAR's site for it.
Post Reply