Jump to content

php +clean user input


bob_the _builder

Recommended Posts

Hi,

Is the following enough to clean user input before inserting into db:

[code=php:0]$field = mysql_real_escape_string(trim(strip_tags($_POST['field'])));[/code]


To my knowladge trim doesnt take away spaces between words in a paragraph?


Also whats the best way to clean any data sent across the url like below?

[code=php:0]index.php?action=user&user_id='.$_SESSION['user_id'].'[/code]


Thanks
Link to comment
Share on other sites

Hi bob_the_builder,

trim()  only removes leading and trailing spaces from the string, so:

"    Hello  World      "

is changed to

"Hello World"

And

"  MY      name      is      Jeff  "

becomes

"MY      name      is      Jeff"

As for your second question, if your data is numeric, and simple, such as $_SESSION['user_id'] as an integer, then there's no need to 'clean' it.

Generally if you're passing complicated data, including spaces, or funky chars, then you use

$my_url = "index.php?action=user&user_id={$_SESSION['user_id']}&my_funky_chars=" . urlencode($_SESSION['funky_chars']);

Doe that cover it ?

Jeff
Link to comment
Share on other sites

Hi,

First to clean form post data I am using a function:

[code=php:0]function validate($value) {

if (!is_numeric($value)) {
        $value = mysql_real_escape_string(trim(strip_tags($value)));
}
        return $value;
}

$data = validate($_POST['field']);[/code]


Is that good enough to clean user input before inserting into a mysql database? Also just say a login situation, checking the username and password .. is the above code gunna cover for any hack attempts?


As for get data via url ..

A simple query like:

[code]$sql = mysql_query("SELECT * FROM gallery_images WHERE photo_id='".$_GET['photo_id']."'");
while($row = mysql_fetch_array($sql)) {[/code]

Should anything be used with queries like the one above to clear any chance of sql injection?

Maybe just:

[code=php:0]if (is_numeric($field)) {

// continue with query

}else{

echo "Nice Try";

}[/code]


?

Just after good ideas to stop sql injection and hack atempts on memberhip systems and alterasions of get data via url being used to alter sql querys.


Thanks

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.