Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Moderator: General Moderators
Bigun
Forum Contributor
Posts: 237 Joined: Tue Jun 13, 2006 10:50 am
Post
by Bigun » Mon Jul 03, 2006 10:23 am
In some of my input fields I will allow some HTML, other's none... and some could be used with MySQL injection attacks.
Now, my question is this. What is the easiest method to filter user input?
in_array();
!in_array();
someotherfunctionidontknowabout();
jmut
Forum Regular
Posts: 945 Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:
Post
by jmut » Mon Jul 03, 2006 10:59 am
Bigun
Forum Contributor
Posts: 237 Joined: Tue Jun 13, 2006 10:50 am
Post
by Bigun » Mon Jul 03, 2006 11:39 am
Is that link having issues loading with anyone else?
jmut
Forum Regular
Posts: 945 Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:
Post
by jmut » Mon Jul 03, 2006 12:19 pm
me
Bigun
Forum Contributor
Posts: 237 Joined: Tue Jun 13, 2006 10:50 am
Post
by Bigun » Mon Jul 03, 2006 12:50 pm
Working now..
Christopher
Site Administrator
Posts: 13596 Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US
Post
by Christopher » Mon Jul 03, 2006 12:55 pm
I find there are two schools of thought on this:
1. Validate input first, error if there are problems, and then filter as necessary. Filtering is simplified.
2. Filter input first, then validate and error if there are problems. Validation is simplified.
(#10850)
basdog22
Forum Contributor
Posts: 158 Joined: Sun Nov 30, 2003 3:03 pm
Location: Greece
Post
by basdog22 » Mon Jul 03, 2006 1:20 pm
another way is to use a class like XML_HTMLSax. Check on PEAR's site for it.