scottnicol Posted January 5, 2010 Share Posted January 5, 2010 I understand encryption and so on, and am now making my encryption method have double salts from separate tables, and also completely random at user registration. I realized that if people were to type in <?php mysql_query(blablabla); ?> and delete a load of stuff, it would mess me about (or am I just being skeptical?). How can I strip all input/post of php tags, or rather stop it from executing (comments section of a blog). Quote Link to comment Share on other sites More sharing options...
RaythMistwalker Posted January 5, 2010 Share Posted January 5, 2010 //Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } This will clean stuff out of stuff and prevent mysql injection Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted January 5, 2010 Share Posted January 5, 2010 Are you calling eval() on user input? If not, then it doesn't matter if they input PHP code into the comments section on a blog. All you need to do is: 1) When inserting data into the database, use mysql_real_escape_string() (or the appropriate function for your database) 2) When displaying data, call striptags(), htmlentities(), or some other escaping function so that potentially dangerous input from one user is not sent to another user. Quote Link to comment Share on other sites More sharing options...
scottnicol Posted January 5, 2010 Author Share Posted January 5, 2010 Cheers. I will be using those functions on all inputs. Better make a function to do sanitize text all in one go . Thanks again! Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted January 6, 2010 Share Posted January 6, 2010 You can not sanitize data all in one go. Use mysql_real_escape_string() when inserting the data or the appropriate escape function for your database. Use an appropriate escaping function such as striptags() or htmlentities() after selecting data from the database and before sending it to the user's browser. Do it any other way and your site will be vulnerable to attacks. Quote Link to comment Share on other sites More sharing options...
scottnicol Posted January 6, 2010 Author Share Posted January 6, 2010 I'll be making two functions, one for the mysql input, and one for the htmlentities. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.