AdamHull12 Posted October 4, 2014 Share Posted October 4, 2014 (edited) Hello, I am quite new to the php and website scene and i am trying to find the best way to validate and sterilize my $_post the way i have come up with is $id = filter_var(mysql_real_escape_string($_POST['id']),FILTER_SANITIZE_NUMBER_INT); or $id = mysql_real_escape_string($_POST['id']); $id1 = filter_var($id,FILTER_SANITIZE_NUMBER_INT); which will be the best way to do it or is there a better way. Thanks Edited October 4, 2014 by AdamHull12 Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted October 4, 2014 Share Posted October 4, 2014 First stop using the mysql_* functions they are no longer supported. It is highly recommend you update your code to use MySQLi or PDO When using user data in a query you'd not use real_escape_string instead you'd use prepared statements (see pdo or mysqli docs for info). Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted October 8, 2014 Share Posted October 8, 2014 The first step is to stop using nonsense terms like “sterilizing”. Data is not “dirty”, so it cannot be “sterilized”. By itself, data doesn't do anything. The question is what you do with it. Do you want to insert the data into an SQL query? An HTML document? A JavaScript context? A PDF? Each case requires an entirely different security strategy. So any attempt of coming up with some magical universal “filter” is futile and conceptually wrong. You need to choose an appropriate solution for the specific context. For SQL queries, you either use prepared statements or manually SQL-escape the data. For an HTML context, you need HTML-escaping. To pass data to JavaScript, you use Ajax. Like I said, there is no one-size-fits all solution. Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted October 8, 2014 Share Posted October 8, 2014 @AdamHull12 - It might help to know more about what you're trying to do. Are you working on a form and trying to validate the input? If so, you could run $id through ctype_digit() to make sure it's a number...assuming that's what you expect. If $id turns out to be something else, you could re-display the form and show an error. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted October 8, 2014 Share Posted October 8, 2014 He has clearly stated what he wants to do: secure the input. And validation does not provide security at all. It's a usability feature. Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted October 8, 2014 Share Posted October 8, 2014 He has clearly stated what he wants to do: secure the input. That doesn't necessarily mean the OP isn't looking for options. Perhaps AdamHull12 is just using "Secure" in a general sense...or maybe doesn't realize there is a difference between validating, filtering, escaping, etc. Quote Link to comment Share on other sites More sharing options...
Strider64 Posted October 8, 2014 Share Posted October 8, 2014 (edited) If you just want to check to see if it is a valid integer : <?php /* If you just want to check to see if it's a valid integer */ if (isset($_POST['id']) && !filter_var($_POST['id'], FILTER_VALIDATE_INT, array('min_range' => 1))) { echo "I'm not an integer<br>"; } elseif (isset($_POST['id'])) { echo 'The id is ' . $_POST['id'] . '<br>'; } ?> <form action="" method="post"> Enter Number <input type="text" name="id" > <input type="submit" name="submit" value="Submit"> </form> An maybe this will clear up the confusion : http://us.php.net/manual/en/intro.filter.php $id = filter_input(INPUT_POST, 'id', FILTER_SANITIZE_NUMBER_INT); Edited October 8, 2014 by Strider64 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.