Jump to content

PHP Security

NeilsPHP

By NeilsPHP
in PHP Coding Help

 Share

Recommended Posts

NeilsPHP Newbie

NeilsPHP

Posted
Posted

I am new to php and get confused with so many bits and pieces of info on web about security of your website designed using php and mysql database.Can somebody plz put it all together THE best way:

lets say I have following scenarios :

 

1.I have a form and i receive a variable using $POST & $GET methods.How do I sanitize that variable before using it in php scripts processing ?

 

2.How do I sanitize the variable received using forms $GET before I insert it into mysql database ?

 

3.I have a form with 'file attach' capability.How do I sanitize that file so it will only accept .gif .jpg .bmp .doc .xsl files ONLY before I insert that data in mysql ?

 

4. How can I sanitize this file received before I upload it to temp/another directory on server ?

 

plz write step by step code so I can understand.

I appreciate all the help from members.

 

 

Link to comment
https://forums.phpfreaks.com/topic/113928-php-security/
Share on other sites
waynew Advanced Member

waynew

Posted
Posted
1.I have a form and i receive a variable using $POST & $GET methods.How do I sanitize that variable before using it in php scripts processing ?

 

2.How do I sanitize the variable received using forms $GET before I insert it into mysql database ?

 

3.I have a form with 'file attach' capability.How do I sanitize that file so it will only accept .gif .jpg .bmp .doc .xsl files ONLY before I insert that data in mysql ?

 

4. How can I sanitize this file received before I upload it to temp/another directory on server ?

 

please write step by step code so I can understand.

I appreciate all the help from members.

 

1: For sanitizing ALL input, use mysql_real_escape_string() as follows:

 

$password = mysql_real_escape_string($password);

 

For get variables, I usually try to keep them numeric, aka the primary key of a tables row. You can use mysql_real_escape_string AND is_numeric() on them which returns a 1 if the get variable is numeric.

 

For the upload question, research filetypes in PHP.

Link to comment
https://forums.phpfreaks.com/topic/113928-php-security/#findComment-585443
Share on other sites
waynew Advanced Member

waynew

Posted
Posted

I'll make that a bit clearer. Simple example script taking in both POST and GET variables:

 

<?php

include("dbconnect.php"); // or whatever you called it.

$password = mysql_real_escape_string($_POST['password']);
$username = mysql_real_escape_string($_POST['username']);

$get_variable = mysql_real_escape_string($_GET['get_variable']);

Link to comment
https://forums.phpfreaks.com/topic/113928-php-security/#findComment-585451
Share on other sites
NeilsPHP Newbie

NeilsPHP

Posted
  • Author
Posted

I tried using mysql_real_escape_string but it gives me error message in checking email entry,where as I get NO error when i use mysql_escape_string.

 

I am including my scripts for more clear understndg.

 

1.script to check ALL data (I call it checkinput function)

 

<?php

function checkinput($data)

{

    $data = trim($data);

    $data = stripslashes($data);

    $data = htmlspecialchars($data);

    $data = mysql_escape_string($data);

    return $data;

}

?>

 

2.script to check inputs from form

 

<?php

 

  include("checkinput.php"); 

   

    $DbName = empty($_POST['inputA']) ? die ("ERROR: entry error ") : Validate_Data_Entry($_POST['Dbname']);

 

    $TableName = empty($_POST['inputB']) ? die ("ERROR: entry error") : Validate_Data_Entry($_POST['TableName']);

 

    $FirstName = empty($_POST['FirstName']) ? die ("ERROR: entry error ") : Validate_Data_Entry($_POST['FirstName']);

 

    $LastName = empty($_POST['LastName']) ? die ("ERROR: entry error ") : Validate_Data_Entry($_POST['LastName']);

 

    $Email = empty($_POST['Email']) ? die ("ERROR: entry error") : Validate_Data_Entry($_POST['Email']);

 

    $title = empty($_POST['title']) ? die ("ERROR: entry error") : Validate_Data_Entry($_POST['title']);

 

    $description = empty($_POST['description']) ? die ("ERROR: entry error ") : Validate_Data_Entry($_POST['description']);

 

 

if(eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $Email))

{execute normal script}

else

{echo error message so user can enter email properly}

 

?>

 

Pls note that $FirstName, $LastName,$title,$description  variables are columns of TABLE  $TableName which resides in database $DbName

 

I will be using these variables to access database and NONE of them are primary variables(I have primary variable $ID thats auto incremented)

 

plz advise

thanks

Link to comment
https://forums.phpfreaks.com/topic/113928-php-security/#findComment-585505
Share on other sites
NeilsPHP Newbie

NeilsPHP

Posted
  • Author
Posted

waynewex:

I tried it again and I am still getting error checking my email.

Can somebody help me find if my email checking code is valid to use with mysql_real_escape_String ?

FYI: My code works fine if I use mysql_escape_string function instead of 'real'

 

Also,do I use same checking for file data thats been received using $FILE ?

plz advise

Link to comment
https://forums.phpfreaks.com/topic/113928-php-security/#findComment-585577
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.