sanitizing post variables

mikefrederick · April 10, 2008

Is it really necessary to sanitize post variables? I guess it's good to be cautious of XSS and whatnot, but it seems like a paranoid practice. What is a good method of sanitizing post variables?

darkfreaks · April 10, 2008

trim mysql_real_escape_string and strip_tags

PFMaBiSmAd · April 10, 2008

It is necessary to validate all data that comes into your program.

Any post/get/file/cookie variables could have been submitted by a spammer or a spam bot script for the purpose of injecting sql, email headers, server side script, or browser script, depending on what your code does with that data (place it into a query, place it into an email, place it into a file, template, or eval() it, or output it as content to a browser.)

Not validating all input is just asking for someone to eventually take over your web server or mail server for their purposes or to grab your data or your visitor's data.

darkfreaks · April 10, 2008

^ well said

PFMaBiSmAd · April 10, 2008

I would also add, validating inputs also allows you a chance to output a meaningful message to the visitor, such as a value was empty, was not a number... and then to have your code take an appropriate action, such as not putting an empty value into a query or putting a non-number into a numeric field...

Sign In

sanitizing post variables

Recommended Posts

mikefrederick

Link to comment

Share on other sites

darkfreaks

Link to comment

Share on other sites

PFMaBiSmAd

Link to comment

Share on other sites

darkfreaks

Link to comment

Share on other sites

PFMaBiSmAd

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information