mikefrederick Posted April 10, 2008 Share Posted April 10, 2008 Is it really necessary to sanitize post variables? I guess it's good to be cautious of XSS and whatnot, but it seems like a paranoid practice. What is a good method of sanitizing post variables? Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted April 10, 2008 Share Posted April 10, 2008 trim mysql_real_escape_string and strip_tags Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted April 10, 2008 Share Posted April 10, 2008 It is necessary to validate all data that comes into your program. Any post/get/file/cookie variables could have been submitted by a spammer or a spam bot script for the purpose of injecting sql, email headers, server side script, or browser script, depending on what your code does with that data (place it into a query, place it into an email, place it into a file, template, or eval() it, or output it as content to a browser.) Not validating all input is just asking for someone to eventually take over your web server or mail server for their purposes or to grab your data or your visitor's data. Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted April 10, 2008 Share Posted April 10, 2008 ^ well said Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted April 10, 2008 Share Posted April 10, 2008 I would also add, validating inputs also allows you a chance to output a meaningful message to the visitor, such as a value was empty, was not a number... and then to have your code take an appropriate action, such as not putting an empty value into a query or putting a non-number into a numeric field... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.