> From: "Sebastian" <sebastian@xxxxxxxxxxxxxxxxxxx>
> just a question, what is the best way to sanitize your scripts when you're
> using $_GET or $_REQUEST in a query?
>
> eg, i usually just do:
>
> if(is_numeric($_REQUEST['id']))
> {
> mysql_query("SELECT id FROM table WHERE
> id=".intval($_REQUEST['id'])."");
> }
>
> what about when the GET is text? just use htmlspecialchars?
> just looking for some advice to help keep my apps secure.
Sanitize it for what? Insertion into the database? Displaying to a user? Putting into an email? file? xml?
There's no one solution for sanitizing, it's all a matter of what you're doing with the data and what you expect the data to be. If you expect the data to be an integer, then make it an integer.
$input['value'] = (int)$_GET['value'];
Now you can range check it or whatever. is_numeric() works, but will accept floating point and scientific numbers, by the way.
You need addslashes() (or mysql_real_escape_string(), if appropriate) for text data going into the database.
htmlspecialchars() or htmlentities() is appropriate for text that'll be shown to users on a web site.
Text going into the headers of an email should normally be filtered for newlines so malicious users cannot inject additional headers.
Shall I go on?? ;)
---John Holmes...
UCCASS - PHP Survey System
http://www.bigredspark.com/survey.html
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
