horseatingweeds Posted July 27, 2008 Share Posted July 27, 2008 If you're using values from the url, should they be treated with security measures? Is just a if(preg_match*** thorough enough, like only letters numbers and '-' ? Link to comment https://forums.phpfreaks.com/topic/116870-should-values-retrieved-from-the-url-be-sanitized-similar-to-form-inputs/ Share on other sites More sharing options...
DarkWater Posted July 27, 2008 Share Posted July 27, 2008 Any input must be sanitized. No matter where it comes from. That's like, the golden rule of PHP security. Link to comment https://forums.phpfreaks.com/topic/116870-should-values-retrieved-from-the-url-be-sanitized-similar-to-form-inputs/#findComment-600961 Share on other sites More sharing options...
horseatingweeds Posted July 27, 2008 Author Share Posted July 27, 2008 But is a preg_match allowing only numbers, letters, and -'s thorough enough? It seems so. Link to comment https://forums.phpfreaks.com/topic/116870-should-values-retrieved-from-the-url-be-sanitized-similar-to-form-inputs/#findComment-600977 Share on other sites More sharing options...
Nhoj Posted July 27, 2008 Share Posted July 27, 2008 Be careful with preg_match or preg_replace... You may also want to look into mysql_real_escape_string() Link to comment https://forums.phpfreaks.com/topic/116870-should-values-retrieved-from-the-url-be-sanitized-similar-to-form-inputs/#findComment-600980 Share on other sites More sharing options...
horseatingweeds Posted July 27, 2008 Author Share Posted July 27, 2008 Would escapeshellcmd() be as appropriate? Link to comment https://forums.phpfreaks.com/topic/116870-should-values-retrieved-from-the-url-be-sanitized-similar-to-form-inputs/#findComment-600997 Share on other sites More sharing options...
Nhoj Posted July 27, 2008 Share Posted July 27, 2008 You probably wont need to use escapeshellcmd() unless you are using your inputs to execute a command with the system, exec, etc functions (http://us.php.net/manual/en/book.exec.php). http://us.php.net/manual/en/function.mysql-real-escape-string.php - Would probably be the best place to start. Link to comment https://forums.phpfreaks.com/topic/116870-should-values-retrieved-from-the-url-be-sanitized-similar-to-form-inputs/#findComment-600998 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.