bob_the _builder Posted September 11, 2006 Share Posted September 11, 2006 Hi, Is the following enough to clean user input before inserting into db: [code=php:0]$field = mysql_real_escape_string(trim(strip_tags($_POST['field'])));[/code]To my knowladge trim doesnt take away spaces between words in a paragraph? Also whats the best way to clean any data sent across the url like below? [code=php:0]index.php?action=user&user_id='.$_SESSION['user_id'].'[/code]Thanks Quote Link to comment Share on other sites More sharing options...
jefkin Posted September 11, 2006 Share Posted September 11, 2006 Hi bob_the_builder,trim() only removes leading and trailing spaces from the string, so:" Hello World " is changed to "Hello World"And " MY name is Jeff " becomes "MY name is Jeff"As for your second question, if your data is numeric, and simple, such as $_SESSION['user_id'] as an integer, then there's no need to 'clean' it.Generally if you're passing complicated data, including spaces, or funky chars, then you use $my_url = "index.php?action=user&user_id={$_SESSION['user_id']}&my_funky_chars=" . urlencode($_SESSION['funky_chars']);Doe that cover it ?Jeff Quote Link to comment Share on other sites More sharing options...
bob_the _builder Posted September 11, 2006 Author Share Posted September 11, 2006 Hi,First to clean form post data I am using a function:[code=php:0]function validate($value) { if (!is_numeric($value)) { $value = mysql_real_escape_string(trim(strip_tags($value))); } return $value; } $data = validate($_POST['field']);[/code]Is that good enough to clean user input before inserting into a mysql database? Also just say a login situation, checking the username and password .. is the above code gunna cover for any hack attempts?As for get data via url .. A simple query like:[code]$sql = mysql_query("SELECT * FROM gallery_images WHERE photo_id='".$_GET['photo_id']."'"); while($row = mysql_fetch_array($sql)) {[/code]Should anything be used with queries like the one above to clear any chance of sql injection?Maybe just:[code=php:0]if (is_numeric($field)) { // continue with query }else{ echo "Nice Try"; }[/code]?Just after good ideas to stop sql injection and hack atempts on memberhip systems and alterasions of get data via url being used to alter sql querys.Thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.