Jump to content

Recommended Posts

When sanitizing user inputs, if I'm already using htmlspecialchars around user inputs do I still need to use the filter_input functions or do I need to stop using htmlspecialchars and start using filter_input?

 

While I was looking through the PHP manual for filter_input, it basically has the htmlspecialchars and more, but do I really need all of that?

 

I'm just escaping what the user has put in for any type of user based inputs like $_GET and $_POST. Mostly looking to escape any bad characters that the user has put in when it's really not suppose to be there. For $_GET, I'm using filter_var($var, FILTER_SANITIZE_URL);

 

So if user types something like

<script>alert("XSS")</script>

into the input field, it would just be output like this

<script>alert("XSS")</script>	
Link to comment
https://forums.phpfreaks.com/topic/295804-php-question/
Share on other sites

Great topic name. Aren't all the posts here basically 'php questions'?

Great reply. Aren't all of your replies just criticizing everyone's ideas? It doesn't help anyone if all you have are negative response.

 

Off-topic: Also, your reply for the singleton topic is a bad example of a programmer. Your idea is putting the database connection such as $connection = new PDO('mysql:host=localhost;dbname=sample'$user$pass); into a file and then including it throughout the whole website. This is a lazy idea for programmers. If someone were to access your database connection file, it would still be executed because the lines $connection = new PDO('mysql:host=localhost;dbname=sample'$user$pass); run a true statment if the connection does not fail. This means people can access your database if they really knew how to because the command lines still are executing. Since others are smart and they want singletons, classes, and methods. They avoid this mess and their database connections are only called when their singletons, classes, and methods are called. The only way to execute a class is to call it in your codes. If someone were to access your file directly, the classes will not be called.

Edited by PHPEnthusiast
Link to comment
https://forums.phpfreaks.com/topic/295804-php-question/#findComment-1509768
Share on other sites

Which is why my code is stored outside of the root folder.

o.  o That doesn't make any sense what's so ever because now you're going against your own words. The words you typed up yourself. Straight from your post.

 

 

Guess I never understand why people here are always looking for ways to encapsulate a basic feature of web development with some 'tool' (framework in this case, object/classes in others) when the standard php language promises so much.

 

 

Run these lines and tell me what you get or better yet. I'll save you the time (being lazy) and show you the results. The difference from running a code that has no classes and objects v.s. running a code with classes and objects.

 

Without class

With PDO

var_dump(new PDO('mysql:host=localhost;dbname=sample', 'root', 'root'));

The line above outputs

object(PDO)#1 (0) { } 

Which is still calling the database.

 

 

With class

class Connection {
	private function connections() {
		var_dump(new PDO('mysql:host=localhost;dbname=test', 'root', 'root'));
	}
}

The line above outputs


With MySQLi

Without class

var_dump(new mysqli('localhost', 'root', 'root', 'sample'));

The line above outputs

object(mysqli)#1 (19) { ["affected_rows"]=> int(0) ["client_info"]=> string(75) "mysqlnd _._.__ - ________ - $Id: b0b3b15c693b7f6aeb3aa66b646fee339f175e39 $" ["client_version"]=> int(50010) ["connect_errno"]=> int(0) ["connect_error"]=> NULL ["errno"]=> int(0) ["error"]=> string(0) "" ["error_list"]=> array(0) { } ["field_count"]=> int(0) ["host_info"]=> string(20) "localhost via TCP/IP" ["info"]=> NULL ["insert_id"]=> int(0) ["server_info"]=> string(6) "_._.__" ["server_version"]=> int(_____) ["stat"]=> string(135) "Uptime: 22139 Threads: 1 Questions: 1596 Slow queries: 0 Opens: 173 Flush tables: 1 Open tables: 0 Queries per second avg: 0.072" ["sqlstate"]=> string(5) "00000" ["protocol_version"]=> int(10) ["thread_id"]=> int(936) ["warning_count"]=> int(0) } 

With classes

class Connection {
	private function connections() {
		var_dump(new mysqli('localhost', 'root', 'root', 'sample'));
	}
}

The line above outputs


This means that the database connection will never be called if the class hasn't been called yet. Putting your codes outside of the root folder puts more effort on you. Reason why I said you are going against yourself is because PHP in general has classes, objects, and methods built-in so I'm not sure why you are putting your codes outside of the root folder just to protect them from direct access. Also, when I mean by lazy I meant that the stuff you should be using, you don't. But the stuff that it wasn't meant for, you're putting more effort into that.

 

Sorry anyone reading this. Went off-topic there. Back on topic, I'm still looking for some answers as to if I should be using htmlspecialchars or filter_input.

Edited by PHPEnthusiast
Link to comment
https://forums.phpfreaks.com/topic/295804-php-question/#findComment-1509774
Share on other sites

Great reply. Aren't all of your replies just criticizing everyone's ideas? It doesn't help anyone if all you have are negative response.

 

Off-topic: Also, your reply for the singleton topic is a bad example of a programmer. Your idea is putting the database connection such as $connection = new PDO('mysql:host=localhost;dbname=sample'$user$pass); into a file and then including it throughout the whole website. This is a lazy idea for programmers. If someone were to access your database connection file, it would still be executed because the lines $connection = new PDO('mysql:host=localhost;dbname=sample'$user$pass); run a true statment if the connection does not fail. This means people can access your database if they really knew how to because the command lines still are executing. Since others are smart and they want singletons, classes, and methods. They avoid this mess and their database connections are only called when their singletons, classes, and methods are called. The only way to execute a class is to call it in your codes. If someone were to access your file directly, the classes will not be called.

 

Way to get help... :suicide:

 

Curious though why is PDO exempt from your "class execution only bu calling it in code" rhetoric?  How is using a singleton at all an example of a good programmer?  Why even bring it up here if you have another "on topic" thread to discuss it? :blink:

 

I was typing this as your last post came up....really dude :wtf: ?  Are you here for help or to start a pissing contest?

 

Somewhere, at somepoint you are going to call that marvelous "create a magic connection to my database" class, at which point you will open up siad class object the same way you did by calling the PDO class.

 

 

Anyway, to answer your "PHP question" here - you don't need to do anything.  No one is forcing you to program, although I get why you would fall into such a socialy removed passtime as this with an atitude like yours.  The options are there, use what you feel happy using upset's you the least, and don't come on forums and behave like a big boy stole your ball and it's all our fault just becuase you get chalenged on something.

Link to comment
https://forums.phpfreaks.com/topic/295804-php-question/#findComment-1509775
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.