justlukeyou Posted February 27, 2011 Share Posted February 27, 2011 Hi, I'm having a first attempt at sanitising code, but I'm not actually sure what I'm doing and how I know if it works. This is the code I have inserted, if I enter "description=re#d%widget" the description query ends so it displays everything 'red'. Not just everything 'red widget'. $description = mysql_real_escape_string($description); $description = stripslashes($description); $description = htmlentities($description); return $var; $price = mysql_real_escape_string($price); $price = stripslashes($price); $price = htmlentities($price); return $var; <?php ini_set('display_errors', 1); error_reporting(-1); $query = "SELECT * FROM productfeed"; if(isset($_GET['description']) && !empty($_GET['description'])) { $description = $_GET['description']; $query .= " WHERE description like '%$description%'"; } if(isset($_GET['price']) && !empty($_GET['price'])) { $price = explode('-', $_GET['price']); $lowPrice = (int)$price[0]; $highPrice = (int)$price[1]; $query .= " AND price BETWEEN $lowPrice AND $highPrice"; } $result = mysql_query($query); while($row = mysql_fetch_assoc($result)) { $id = $row['id']; $image = $row['awImage']; $link = $row['link']; $description = $row['description']; $fulldescription = $row['fulldescription']; $price = $row['price']; echo "<div class='productdisplayshell'> <div class='productdisplayoutline'> <div class='productborder'><center> <a href='$link' target='_blank'><img src='$image' width=\"95%\" /></a> </center> </div></div> <div class='productdescriptionoutline'> <div class='productdescriptionbox'> <a href='$link' target='_blank' >$description</a> </div> <div class='productfulldescriptionbox'>$fulldescription</div> </div> <div class='productpriceoutline'> <div class='productpricebox'> <center>£ $price</center> </div> <div class='productbuybutton'> <center><a href='$link' target='_blank' ><img src=/images/buybutton.png /></a></center> </div> </div> </div>"; } if ($_GET['description'] == $description ) { echo 'Sorry, this product is not available. Please visit our <a href="http://www.domain.co.uk">Homepage</a>.'; } ?> <?php function sanitizeString($description) { $description = mysql_real_escape_string($description); $description = stripslashes($description); $description = htmlentities($description); return $var; $price = mysql_real_escape_string($price); $price = stripslashes($price); $price = htmlentities($price); return $var; } ?> Link to comment https://forums.phpfreaks.com/topic/229063-is-this-how-sanitising-code-works/ Share on other sites More sharing options...
jcbones Posted February 27, 2011 Share Posted February 27, 2011 NO, running strip slashes after mysql_real_escape_string() will defeat the purpose of the function. htmlentities is for displaying user data to a page. I test for expected data type, strip out anything not allowed, then pass it through mysql_real_escape_string. For instance, if I expect the user to pass a number. $number = (isset($_POST['number'])) ? intval(strip_tags($_POST['number'])) : 0; $sql = sprintf("SELECT * FROM table WHERE id = %d",mysql_real_escape_string($number)); Link to comment https://forums.phpfreaks.com/topic/229063-is-this-how-sanitising-code-works/#findComment-1180560 Share on other sites More sharing options...
justlukeyou Posted February 27, 2011 Author Share Posted February 27, 2011 Hi, So lets so Amazon wanted to stop people injecting code into their URLs what code would they use. I bought a book for about £25.00 and this is the only code it uses for sanitising. Link to comment https://forums.phpfreaks.com/topic/229063-is-this-how-sanitising-code-works/#findComment-1180561 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.