Jump to content


Photo

php +clean user input


  • Please log in to reply
2 replies to this topic

#1 bob_the _builder

bob_the _builder
  • Members
  • PipPipPip
  • Advanced Member
  • 207 posts

Posted 11 September 2006 - 02:03 AM

Hi,

Is the following enough to clean user input before inserting into db:

$field = mysql_real_escape_string(trim(strip_tags($_POST['field'])));


To my knowladge trim doesnt take away spaces between words in a paragraph?


Also whats the best way to clean any data sent across the url like below?

index.php?action=user&user_id='.$_SESSION['user_id'].'


Thanks


#2 jefkin

jefkin
  • Members
  • PipPipPip
  • Advanced Member
  • 55 posts

Posted 11 September 2006 - 03:43 AM

Hi bob_the_builder,

trim()  only removes leading and trailing spaces from the string, so:

"    Hello  World      "

is changed to

"Hello World"

And

"  MY      name      is      Jeff  "

becomes

"MY      name      is      Jeff"

As for your second question, if your data is numeric, and simple, such as $_SESSION['user_id'] as an integer, then there's no need to 'clean' it.

Generally if you're passing complicated data, including spaces, or funky chars, then you use

$my_url = "index.php?action=user&user_id={$_SESSION['user_id']}&my_funky_chars=" . urlencode($_SESSION['funky_chars']);

Doe that cover it ?

Jeff

#3 bob_the _builder

bob_the _builder
  • Members
  • PipPipPip
  • Advanced Member
  • 207 posts

Posted 11 September 2006 - 06:12 AM

Hi,

First to clean form post data I am using a function:

function validate($value) { 

if (!is_numeric($value)) { 
        $value = mysql_real_escape_string(trim(strip_tags($value))); 
} 
        return $value; 
} 

$data = validate($_POST['field']);


Is that good enough to clean user input before inserting into a mysql database? Also just say a login situation, checking the username and password .. is the above code gunna cover for any hack attempts?


As for get data via url ..

A simple query like:

$sql = mysql_query("SELECT * FROM gallery_images WHERE photo_id='".$_GET['photo_id']."'");
		while($row = mysql_fetch_array($sql)) {

Should anything be used with queries like the one above to clear any chance of sql injection?

Maybe just:

if (is_numeric($field)) { 

// continue with query 

}else{ 

echo "Nice Try"; 

}


?

Just after good ideas to stop sql injection and hack atempts on memberhip systems and alterasions of get data via url being used to alter sql querys.


Thanks






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users