Omzy Posted May 24, 2009 Share Posted May 24, 2009 I've got a form with input fields and I've included the most common validation, for example strlen(), trim() and strip_tags(). Are there any other validation methods I should include? I am particularly trying to prevent SQL Injection attacks. Quote Link to comment Share on other sites More sharing options...
Axeia Posted May 24, 2009 Share Posted May 24, 2009 Look into using prepared statement or things like mysql_real_escape(). That isn't validating though, it's sanitizing Quote Link to comment Share on other sites More sharing options...
MadTechie Posted May 24, 2009 Share Posted May 24, 2009 Axeia covered the main one for SQL but for HTML injection (XSS) use htmlspecialchars() Quote Link to comment Share on other sites More sharing options...
Omzy Posted May 24, 2009 Author Share Posted May 24, 2009 Cheers guys. Currently I've got: $query="INSERT INTO table (name) VALUES (' " .strip_tags($name)). " ')"; So what would be best to add to this - htmlspecialchars() or mysql_real_escape_string()? Quote Link to comment Share on other sites More sharing options...
jxrd Posted May 24, 2009 Share Posted May 24, 2009 Well, with strip_tags() you completely remove html tags, so there's not much point in using htmlspecialchars() as well. mysql_real_escape_string is almost mandatory. If you don't use it, your query will break if you have a quote in the input. (unless magic quotes is on, but we all know that's stupid and should be turned off). It also prevents sql injection, and goes one step further than addslashes(). For example, If I were to put 0x27 into your input, it would convert it to a single quote ('). addslashes wouldn't pick that up, but mysql_real_escape_string would, and escape it. Quote Link to comment Share on other sites More sharing options...
Omzy Posted May 24, 2009 Author Share Posted May 24, 2009 Cheers for that mate. Is there any need to add any additional code to a standard delete statement: $query="DELETE FROM table WHERE id='$_GET['id']'"; Quote Link to comment Share on other sites More sharing options...
jxrd Posted May 24, 2009 Share Posted May 24, 2009 Well, them nested single quotes will break your statement... Try this $query="DELETE FROM table WHERE id='{$_GET['id']}'"; Quote Link to comment Share on other sites More sharing options...
Omzy Posted May 24, 2009 Author Share Posted May 24, 2009 That code that I wrote above works fine though, the single quotes don't break the statement. All I'm trying to do now is make it more secure. Quote Link to comment Share on other sites More sharing options...
jxrd Posted May 24, 2009 Share Posted May 24, 2009 Hmm...that's odd. I guess PHP converts $_GET['id'] before it gets to the query. Forgive me Well, it depends whatt he input is doing tbh... Quote Link to comment Share on other sites More sharing options...
Omzy Posted May 25, 2009 Author Share Posted May 25, 2009 Basically the 'ID' is got from the URL construct and there is a form on the page, clicking Submit will POST that form and it gets processed in the script as: if(isset($_POST['delete'])) { $query="DELETE FROM table WHERE id='$_GET['id']'"; //run the mysql_query } So is this safe enough? All the IDs in the database are INTs, do I need to do any intval() check or anything else? Quote Link to comment Share on other sites More sharing options...
jxrd Posted May 25, 2009 Share Posted May 25, 2009 Well, if I put this is the url: &id=';DELETE FROM `sometable` WHERE'1'='1 Your query would then look like this: $query="DELETE FROM table WHERE id='';DELETE FROM `sometable` WHERE'1'='1'"; So someone could potentially truncate, dump or delete one of your tables. You need to run mysql_real_escape_string() on EVERYTHING being used with a database. That would escape all single quotes in that statement, so it would work fine. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.