* Sebastian <sebastian@xxxxxxxxxxxxxxxxxxx>:
> just a question, what is the best way to sanitize your scripts when you're
> using $_GET or $_REQUEST in a query?
>
> eg, i usually just do:
>
> if(is_numeric($_REQUEST['id']))
> {
> mysql_query("SELECT id FROM table WHERE
> id=".intval($_REQUEST['id'])."");
> }
>
> what about when the GET is text? just use htmlspecialchars?
> just looking for some advice to help keep my apps secure.
The proper method for doing this is to 'whitelist' -- in other words,
assume data is tainted, and only allow it if it passes certain criteria.
For text, you'll typically want to define what is allowed, create a
regular expression, and pass the value through that expression (this is
often called 'filtering').
By the way, if you're needing an integer ID in the test above, testing
for is_numeric() will not be enough -- it returns floats as well as
integers. Try:
if ($_REQUEST['id'] == strval(intval($_REQUEST['id'])))
In terms of sanitizing data for insertion into a database -- or even for
re-display to users -- you'll typically want to use htmlentities()
and/or strip_tags() first (after you've validated that data, that is).
Then, for insertion into the database, use your database driver's
quoting method. In MySQL, this is mysql_real_escape_string().
Alternatively, use a database abstraction layer such as ADODB or
PEAR::DB/MDB2 and use its prepare() functionality (that way you don't
need to know the db's specific functions).
--
Matthew Weier O'Phinney | mailto:matthew@xxxxxxxxxx
Webmaster and IT Specialist | http://www.garden.org
National Gardening Association | http://www.kidsgardening.com
802-863-5251 x156 | http://nationalgardenmonth.org
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
