Also, you should be checking against type (expecting a number? a boolean
value? a string?) and then checking against expected length requirements
(such as firstname can only be 80 characters long max, so maybe check for
<code>
if (strlen($var) > 80) {
do something;
}
</code>
In unit testing, you build your objects first against types and perform
object checks using type verification and expected element attributes (such
as length, non-null values, etc...). If someone is posting a string of 8000
letters into a field that is supposed to contain a number two letters long,
before it is stored, maybe you manage that...
On 5/24/07, Jared Farrish <farrishj@xxxxxxxxx> wrote:
I'm not sure exactly what kind of sanitization you think you're doing, but
if all you do is check to see if it's empty (empty() implements isset(),
empty() checks to see if it's set, then if it evaluates to an empty
variable), that's not much sanitization.
What you need to do is check for SQL injections, which means you need to
sanitize GPC (GET, POST, COOKIES) to prevent the following (only a
demonstration):
SELECT `colname` FROM `tablename` WHERE id='$variable' LIMIT 0,10
What happens if $variable is equal to:
$variable = $_POST['somedata'];
And $_POST['somedata'] ~ " 'INSERT INTO users
VALUES('name','password','AdminGroup')' ";
This is an example of a possible SQL injection (which means unknown SQL
code is running through your script access). The way to prevent this is to
escape single quotes before insert/select, and also turn all html entities
into escaped values (so that someone cannot put a <script></script> block
into the signature for their user, for example).
The good thing is, there are numerous help sites online that describe how
to do this. Generally, you're better off wrapping your SQL commands into a
class or at least a series of functions, so that you can implement your
sanitization once and use it for all database interactions.
Google: http://www.google.com/search?q=php+sanitize+sql+statement
PHP.net: http://www.php.net/manual/en/security.database.sql-injection.php
--
Jared Farrish
Intermediate Web Developer
Denton, Tx
Abraham Maslow: "If the only tool you have is a hammer, you tend to see
every problem as a nail." $$
--
Jared Farrish
Intermediate Web Developer
Denton, Tx
Abraham Maslow: "If the only tool you have is a hammer, you tend to see
every problem as a nail." $$
