SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Guru TurtleX's Avatar
    Join Date
    Apr 2004
    Posts
    782
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Protecting Against Malicious User Input

    I have a form where users can submit name, email and comments to my database. I'm using htmlspecialchars() to check each form field to protect against any code that might be submitted. Is this enough?

  2. #2
    SitePoint Wizard GoldFire's Avatar
    Join Date
    Oct 2002
    Location
    Oklahoma City, OK
    Posts
    1,517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Use addslashes() on any data that is input to your database to help protect against SQL injections.

    I personally use a code similar to the one below in my include file.

    PHP Code:
    foreach($_POST AS $key=>$value)
    {
       if (!
    is_array($value))
       
    $_POST[$key] = strip_tags(addslashes($value));
    }
    foreach(
    $_GET AS $key=>$value)
    {
       if (!
    is_array($value))
       
    $_GET[$key] = strip_tags(addslashes($value));


  3. #3
    SitePoint Guru TurtleX's Avatar
    Join Date
    Apr 2004
    Posts
    782
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    addslashes(), htmlspecialchars() and trim(), is that enough?

  4. #4
    SitePoint Wizard GoldFire's Avatar
    Join Date
    Oct 2002
    Location
    Oklahoma City, OK
    Posts
    1,517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That will definitely improve things.

  5. #5
    SitePoint Guru TurtleX's Avatar
    Join Date
    Apr 2004
    Posts
    782
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks

  6. #6
    get into it! bigduke's Avatar
    Join Date
    May 2004
    Location
    Australia
    Posts
    847
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    try adding regular expression character checking so that you can limit what's being sent by the user and unsed by the system. eg. limit the input to just alpha-numeric characters

  7. #7
    ********* Genius Mike's Avatar
    Join Date
    Apr 2001
    Location
    Canada
    Posts
    5,458
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I usually check for valid input (either with regex or settype(), depending on the application) and then run it through mysql_escape_string()
    Mike
    It's not who I am underneath, but what I do that defines me.

  8. #8
    SitePoint Guru TurtleX's Avatar
    Join Date
    Apr 2004
    Posts
    782
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've been reading more about this and it seems mysql_real_escape_string() is better than addslashes() .

  9. #9
    ********* Genius Mike's Avatar
    Join Date
    Apr 2001
    Location
    Canada
    Posts
    5,458
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    it is.
    Mike
    It's not who I am underneath, but what I do that defines me.

  10. #10
    SitePoint Wizard GoldFire's Avatar
    Join Date
    Oct 2002
    Location
    Oklahoma City, OK
    Posts
    1,517
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ah true, I had forgotten about mysql_real_escape_string(). Replacing addslashes() with that in the code I provided should work great. I never actually had any security problems while using addslashes(), but it can't hurt to go one step up in security with mysql_real_escape_string().


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •