Jump to content

Archived

This topic is now archived and is closed to further replies.

bob_the _builder

php +clean user input

Recommended Posts

Hi,

Is the following enough to clean user input before inserting into db:

[code=php:0]$field = mysql_real_escape_string(trim(strip_tags($_POST['field'])));[/code]


To my knowladge trim doesnt take away spaces between words in a paragraph?


Also whats the best way to clean any data sent across the url like below?

[code=php:0]index.php?action=user&user_id='.$_SESSION['user_id'].'[/code]


Thanks

Share this post


Link to post
Share on other sites
Hi bob_the_builder,

trim()  only removes leading and trailing spaces from the string, so:

"    Hello  World      "

is changed to

"Hello World"

And

"  MY      name      is      Jeff  "

becomes

"MY      name      is      Jeff"

As for your second question, if your data is numeric, and simple, such as $_SESSION['user_id'] as an integer, then there's no need to 'clean' it.

Generally if you're passing complicated data, including spaces, or funky chars, then you use

$my_url = "index.php?action=user&user_id={$_SESSION['user_id']}&my_funky_chars=" . urlencode($_SESSION['funky_chars']);

Doe that cover it ?

Jeff

Share this post


Link to post
Share on other sites
Hi,

First to clean form post data I am using a function:

[code=php:0]function validate($value) {

if (!is_numeric($value)) {
        $value = mysql_real_escape_string(trim(strip_tags($value)));
}
        return $value;
}

$data = validate($_POST['field']);[/code]


Is that good enough to clean user input before inserting into a mysql database? Also just say a login situation, checking the username and password .. is the above code gunna cover for any hack attempts?


As for get data via url ..

A simple query like:

[code]$sql = mysql_query("SELECT * FROM gallery_images WHERE photo_id='".$_GET['photo_id']."'");
while($row = mysql_fetch_array($sql)) {[/code]

Should anything be used with queries like the one above to clear any chance of sql injection?

Maybe just:

[code=php:0]if (is_numeric($field)) {

// continue with query

}else{

echo "Nice Try";

}[/code]


?

Just after good ideas to stop sql injection and hack atempts on memberhip systems and alterasions of get data via url being used to alter sql querys.


Thanks

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.