Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
The function doesn't clean anything. It merely prepares the information to be added to a query as apart of a string. It can't prevent unexpected data from creating errors in result sets for example.
feyd wrote:The function doesn't clean anything. It merely prepares the information to be added to a query as apart of a string. It can't prevent unexpected data from creating errors in result sets for example.
Oh! I don't think I've ever been able to ask this question before. Is it better to clean data going into the database, or coming out of the database?
Cleaning needs to be done prior to insertion. Further processing may need to be done on extraction, but only as required to display it in the final destination.
Okay then. I've always done it going in completely, and almost nothing coming out (aside from little things like nl2br or htmlspecialchars). I liked to be able to just go into my SSH client, run a query, and read the data from there.
I don't believe it escapes special characters such as % signs which are used in LIKE clauses and things of that nature. But I haven't seen any issues with anything else as of yet.
Usually your first Validate to check if someone is doing something nasty and you want to respond to it. Second filter the data so you only have the type of value in the range/character set/etc. that you want to accept. Finally, you escape when you format the data for an external system such as the browser or database.
You can also Filter first and then Validate second if you want to validate with the assumption that the data is filtered. That can simplify things like forms managers.
arborint wrote:Usually your first Validate to check if someone is doing something nasty and you want to respond to it. Second filter the data so you only have the type of value in the range/character set/etc. that you want to accept. Finally, you escape when you format the data for an external system such as the browser or database.
I agree validate using isset, trim and empty. Then filter using functions for special characters
PS Some use regex for validation and filtering. Do a search online to see examples also there are snippets and free code to help you or if you are lazy just use it but I don' t recommend.
isset(), trim() and empty() are not validators. They simply check for the declaration of a set value in the data, check the presence of data and remove space from the data. Validation needs to go beyond that, like making sure the data is the proper type, within the proper range, etc.
I could be wrong in my view of this however. I may just be getting crossed up in the linguistics of it.
Everah wrote:isset(), trim() and empty() are not validators. They simply check for the declaration of a set value in the data, check the presence of data and remove space from the data. Validation needs to go beyond that, like making sure the data is the proper type, within the proper range, etc.
I could be wrong in my view of this however. I may just be getting crossed up in the linguistics of it.
I agree with you, I always check to see if variables are set (isset()), if they contain information (empty()), and trim out white spaces. I then check data type, length, and special characters with regex.