What kinds of things need to be done to “clean” data that is submitted from an HTML form?
Specifically, I have been told by several people that you need to be super careful about blindly accepting data that is in the GET and POST arrays.
So what kinds of bad things am I checking for exactly?! :-/
TomTees
Here’s an interesting discussion/demo on sql injection and the damage it could cause if used by a malicious user.
Bottom line: validate and sanitise all user inputs before using them - especially before using them in database queries.
The main issues that need to be prevented are broken queries and embedded queries. That is what escaping data or using prepared statements prevents when handling uncontrolled input.
Thanks for the link. That was a VERY interesting article!!
The main thing that I’ve taken away from my research online, is that you have to customize “data sanitizing” for the particular data and application of the data to really be secure.
Thanks,
TomTees
It is always a good idea to use functions such as htmlspecialchars and strip_tags
However, over time, you can have your own function which will take a string and clean it to your preferences. I’ve noticed that through the years, I’ve used a similar function that takes a string, and really sifts through sketchy tags / characters.