SitePoint Sponsor

User Tag List

Results 1 to 6 of 6

Hybrid View

  1. #1
    SitePoint Enthusiast Dabrowski's Avatar
    Join Date
    Apr 2006
    Posts
    66
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Cleaning form Data

    I realize that there are ways to verify data to make sure it fits a format or pattern, but let's say you just want one cleaner to get things started. For instance, we'll deal with whether it's an email address, telephone number, etc, later, we just want to know if it's potentially malicious.

    If you ran everything through htmlentities and addslashes (I'm not seeing the difference between htmlentities and htmlspecialchars yet), would that provide you with an at least safe bit of data, if not perfectly formatted?

    thanks.

  2. #2
    Non-Member
    Join Date
    Jan 2003
    Posts
    5,748
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No, you need to do more with your data before you can use it; What you need to do depends primarly on the application I suppose but do a search on the PAD forum for input filtering for example?

    It's a complex topic with no one answer.

  3. #3
    is_empty(2); foofoonet's Avatar
    Join Date
    Mar 2006
    Posts
    1,000
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Found this today:
    http://www.weberdev.com/ViewArticle/461
    The Trashman Cometh.

    also visit: www.ilovejackdaniels.com/security

    Both deal with inspecting and cleansing data - but in very different ways
    Upgrading to Mysql 5? Auto-increment fields now strict
    use NULL
    Or zero or leave the field name out completely.

  4. #4
    SitePoint Zealot krt's Avatar
    Join Date
    Sep 2005
    Location
    Australia
    Posts
    114
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    <?php

    $_GET    
    array_map('clean_var'$_GET);
    $_POST   array_map('clean_var'$_POST);
    $_COOKIE array_map('clean_var'$_COOKIE);

    function 
    clean_var($v) {

        if (!
    get_magic_quotes_gpc())
            
    $v addslashes($v);
        
    // anything else you want to do here:
        // maybe do the reverse of the above and then use mysql_real_escape_string()
        // maybe htmlspecialchars() etc.
        
    return $v;
    }
    Last edited by krt; Jul 9, 2006 at 16:20. Reason: fixed error in code

  5. #5
    SitePoint Enthusiast Dabrowski's Avatar
    Join Date
    Apr 2006
    Posts
    66
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Am I to understand, krt, that you're suggesting that getting safe data is that easy? That's how it seems to me, as I'm not looking to get useful data, yet, I just want to make sure it's not going to be unsafe. At the very least, escape the quotes, and strip php / html tags and htmlspecialchars.

    What is the function of the first lines of code?

    I understand that there is a lot more to do to get useful data, but I am also very appreciative of the responses that illuminate the problem further.

    Thanks again.

  6. #6
    SitePoint Zealot krt's Avatar
    Join Date
    Sep 2005
    Location
    Australia
    Posts
    114
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The first few lines run the clean_var() function on all GPC (get, post, cookie) input.

    Well malicious input can be malicious for a few reasons, mainly because it is used in:
    - SQL (database queries) - addslashes(), mysql_real_escape_string() ...
    - file names or URIs - separate validation, eg: no remote URIs etc, or simply wrap the variable input in a path, like so: $filename = "uploads/{$GET['file']}";
    - eval()'d code - specific/separate validation/manipulation required in most cases

    For a global function that you can run at or near the beginning of your scripts, the function above works fine.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •