php_begins Posted January 10, 2012 Share Posted January 10, 2012 I had general question about security in php. Suppose i have a value submitted from a form called $form that would go to the database. What functions would good to clean it before it goes to the database. Suppose I want to display the $form variable in the browser, what would i use to display to prevent javascript or html injection other than strip_tags. On another note, what security practice should i follow when dealing with sessions? Quote Link to comment Share on other sites More sharing options...
Psycho Posted January 11, 2012 Share Posted January 11, 2012 When you need to sanitize a value to be entered into the database, you want to use the appropriate method/function based upon the data type and the database you are using. Each database has different functions. Most PHP applications use MySQL, so I'll cover that here: For string/text data you would want to use mysql_real_escape_string(). However that is, as its name implies, for string data. If you have a field that should be an integer or float you could use the functions intval() and floatval(), respectively. For date you want to ensure they are in the right format as well. Basically you need to use the right process for each specific situation. There is no one size fits all. When displaying user content to the HTML page, there are the functions htmlentities() and htmlspecialchars(). Those will transform content that would otherwise be interpreted as HTML code into the character codes/entities that will be displayed harmlessly. So, there is no reason you have to remove the tags from something like "<b>My Value</b>" if you don't want to. So, you don't need to use strip_tags() unless you have a need to actually remove those characters since the other two functions will allow you to display them without risk. Not sure what you are looking for regarding sessions. They are pretty safe since the data is stored on the server - only a session identifier is stored on the user's machine. Cookies are a much bigger risk. you should treat cookies like any other user submitted data (POST/GET) - don't trust them. Make sure you perform any necessary sanitizations, validations before using them. I wouldn't take anything I say as gospel, these are only my opinions. There are whole books written on these subjects. So, go pick one up if you really want to delve into this. Quote Link to comment Share on other sites More sharing options...
php_begins Posted January 11, 2012 Author Share Posted January 11, 2012 Thank you very much for the info. Isn't session hijacking a possible scenario. Could you provide me with a good article link about what it is and how to prevent it? Quote Link to comment Share on other sites More sharing options...
scootstah Posted January 11, 2012 Share Posted January 11, 2012 Thank you very much for the info. Isn't session hijacking a possible scenario. Could you provide me with a good article link about what it is and how to prevent it? http://phpsec.org/projects/guide/4.html Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.