Re: Filtering data not with mysql...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 2:38 PM +0300 5/19/11, Andre Polykanine wrote:
Oh my... I hate those pdf's :-((
Could  someone  tell  me  in  some  words  what do I need to do beside
mysql_real_escape_string() and Html input sanitizing?
Thanks and sorry for the inconvenience)

Hi:

Here is part of what I wrote for my PHP class -- perhaps it will help:

There are two simple rules in handling data:

Rule Number 1 is to "filter input".

What that means specifically is to make certain that the user input is EXACTLY what you expect. You can filter, scrub, inspect, compare, or replace whatever comes in with what you expect. You need to be aware of what can come from a user and be able to deal with that data safely.

Rule Number 2 is to "escape output".

What that means specifically is to transform any given chunk of data to a format that is suitable for the output medium.

For example, ANY output headed to the browser should have htmlentities () preformed on it.

If the data is headed to a database, it should have a database-specific function called, such as mysql_real_escape_string().

If the data is going to be included within an URL (i.e., GET parameter), it needs to pass through the urlencode() function.

If the data is headed to XML it should have some kind of XML function called to wrap it in a CDATA or a pre-defined data format.

If the data is headed out to JavaScript, then you need json (i.e., json_encode, json_decode, and json_last_error).

So, you really just have TWO considerations:

Filter input; Escape output

It matters because Evil People do exist, and they WILL find a way to cause damage to you, and even to others, if you fail to protect your data and code.

Common hacks include executing SQL to damage databases, or adding JavaScript to deface web-sites or even adding JavaScript to use YOUR web-site in an attack upon another website.

Here is a good starting point for some of the details of what to do and why: http://phpsec.org/

HTH's

tedd


--
-------
http://sperling.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux