Jump to content

php +clean user input


bob_the _builder

Recommended Posts

Hi,

Is the following enough to clean user input before inserting into db:

[code=php:0]$field = mysql_real_escape_string(trim(strip_tags($_POST['field'])));[/code]


To my knowladge trim doesnt take away spaces between words in a paragraph?


Also whats the best way to clean any data sent across the url like below?

[code=php:0]index.php?action=user&user_id='.$_SESSION['user_id'].'[/code]


Thanks
Link to comment
https://forums.phpfreaks.com/topic/20334-php-clean-user-input/
Share on other sites

Hi bob_the_builder,

trim()  only removes leading and trailing spaces from the string, so:

"    Hello  World      "

is changed to

"Hello World"

And

"  MY      name      is      Jeff  "

becomes

"MY      name      is      Jeff"

As for your second question, if your data is numeric, and simple, such as $_SESSION['user_id'] as an integer, then there's no need to 'clean' it.

Generally if you're passing complicated data, including spaces, or funky chars, then you use

$my_url = "index.php?action=user&user_id={$_SESSION['user_id']}&my_funky_chars=" . urlencode($_SESSION['funky_chars']);

Doe that cover it ?

Jeff
Link to comment
https://forums.phpfreaks.com/topic/20334-php-clean-user-input/#findComment-89610
Share on other sites

Hi,

First to clean form post data I am using a function:

[code=php:0]function validate($value) {

if (!is_numeric($value)) {
        $value = mysql_real_escape_string(trim(strip_tags($value)));
}
        return $value;
}

$data = validate($_POST['field']);[/code]


Is that good enough to clean user input before inserting into a mysql database? Also just say a login situation, checking the username and password .. is the above code gunna cover for any hack attempts?


As for get data via url ..

A simple query like:

[code]$sql = mysql_query("SELECT * FROM gallery_images WHERE photo_id='".$_GET['photo_id']."'");
while($row = mysql_fetch_array($sql)) {[/code]

Should anything be used with queries like the one above to clear any chance of sql injection?

Maybe just:

[code=php:0]if (is_numeric($field)) {

// continue with query

}else{

echo "Nice Try";

}[/code]


?

Just after good ideas to stop sql injection and hack atempts on memberhip systems and alterasions of get data via url being used to alter sql querys.


Thanks

Link to comment
https://forums.phpfreaks.com/topic/20334-php-clean-user-input/#findComment-89658
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.