PHPEnthusiast Posted April 23, 2015 Share Posted April 23, 2015 When sanitizing user inputs, if I'm already using htmlspecialchars around user inputs do I still need to use the filter_input functions or do I need to stop using htmlspecialchars and start using filter_input? While I was looking through the PHP manual for filter_input, it basically has the htmlspecialchars and more, but do I really need all of that? I'm just escaping what the user has put in for any type of user based inputs like $_GET and $_POST. Mostly looking to escape any bad characters that the user has put in when it's really not suppose to be there. For $_GET, I'm using filter_var($var, FILTER_SANITIZE_URL); So if user types something like <script>alert("XSS")</script> into the input field, it would just be output like this <script>alert("XSS")</script> Quote Link to comment https://forums.phpfreaks.com/topic/295804-php-question/ Share on other sites More sharing options...
ginerjm Posted April 23, 2015 Share Posted April 23, 2015 Great topic name. Aren't all the posts here basically 'php questions'? Quote Link to comment https://forums.phpfreaks.com/topic/295804-php-question/#findComment-1509761 Share on other sites More sharing options...
PHPEnthusiast Posted April 23, 2015 Author Share Posted April 23, 2015 (edited) Great topic name. Aren't all the posts here basically 'php questions'? Great reply. Aren't all of your replies just criticizing everyone's ideas? It doesn't help anyone if all you have are negative response. Off-topic: Also, your reply for the singleton topic is a bad example of a programmer. Your idea is putting the database connection such as $connection = new PDO('mysql:host=localhost;dbname=sample', $user, $pass); into a file and then including it throughout the whole website. This is a lazy idea for programmers. If someone were to access your database connection file, it would still be executed because the lines $connection = new PDO('mysql:host=localhost;dbname=sample', $user, $pass); run a true statment if the connection does not fail. This means people can access your database if they really knew how to because the command lines still are executing. Since others are smart and they want singletons, classes, and methods. They avoid this mess and their database connections are only called when their singletons, classes, and methods are called. The only way to execute a class is to call it in your codes. If someone were to access your file directly, the classes will not be called. Edited April 23, 2015 by PHPEnthusiast Quote Link to comment https://forums.phpfreaks.com/topic/295804-php-question/#findComment-1509768 Share on other sites More sharing options...
ginerjm Posted April 23, 2015 Share Posted April 23, 2015 Which is why my code is stored outside of the root folder. Quote Link to comment https://forums.phpfreaks.com/topic/295804-php-question/#findComment-1509772 Share on other sites More sharing options...
PHPEnthusiast Posted April 23, 2015 Author Share Posted April 23, 2015 (edited) Which is why my code is stored outside of the root folder. o. o That doesn't make any sense what's so ever because now you're going against your own words. The words you typed up yourself. Straight from your post. Guess I never understand why people here are always looking for ways to encapsulate a basic feature of web development with some 'tool' (framework in this case, object/classes in others) when the standard php language promises so much. Run these lines and tell me what you get or better yet. I'll save you the time (being lazy) and show you the results. The difference from running a code that has no classes and objects v.s. running a code with classes and objects. Without class With PDO var_dump(new PDO('mysql:host=localhost;dbname=sample', 'root', 'root')); The line above outputs object(PDO)#1 (0) { } Which is still calling the database. With class class Connection { private function connections() { var_dump(new PDO('mysql:host=localhost;dbname=test', 'root', 'root')); } } The line above outputs With MySQLi Without class var_dump(new mysqli('localhost', 'root', 'root', 'sample')); The line above outputs object(mysqli)#1 (19) { ["affected_rows"]=> int(0) ["client_info"]=> string(75) "mysqlnd _._.__ - ________ - $Id: b0b3b15c693b7f6aeb3aa66b646fee339f175e39 $" ["client_version"]=> int(50010) ["connect_errno"]=> int(0) ["connect_error"]=> NULL ["errno"]=> int(0) ["error"]=> string(0) "" ["error_list"]=> array(0) { } ["field_count"]=> int(0) ["host_info"]=> string(20) "localhost via TCP/IP" ["info"]=> NULL ["insert_id"]=> int(0) ["server_info"]=> string(6) "_._.__" ["server_version"]=> int(_____) ["stat"]=> string(135) "Uptime: 22139 Threads: 1 Questions: 1596 Slow queries: 0 Opens: 173 Flush tables: 1 Open tables: 0 Queries per second avg: 0.072" ["sqlstate"]=> string(5) "00000" ["protocol_version"]=> int(10) ["thread_id"]=> int(936) ["warning_count"]=> int(0) } With classes class Connection { private function connections() { var_dump(new mysqli('localhost', 'root', 'root', 'sample')); } } The line above outputs This means that the database connection will never be called if the class hasn't been called yet. Putting your codes outside of the root folder puts more effort on you. Reason why I said you are going against yourself is because PHP in general has classes, objects, and methods built-in so I'm not sure why you are putting your codes outside of the root folder just to protect them from direct access. Also, when I mean by lazy I meant that the stuff you should be using, you don't. But the stuff that it wasn't meant for, you're putting more effort into that. Sorry anyone reading this. Went off-topic there. Back on topic, I'm still looking for some answers as to if I should be using htmlspecialchars or filter_input. Edited April 23, 2015 by PHPEnthusiast Quote Link to comment https://forums.phpfreaks.com/topic/295804-php-question/#findComment-1509774 Share on other sites More sharing options...
Muddy_Funster Posted April 23, 2015 Share Posted April 23, 2015 Great reply. Aren't all of your replies just criticizing everyone's ideas? It doesn't help anyone if all you have are negative response. Off-topic: Also, your reply for the singleton topic is a bad example of a programmer. Your idea is putting the database connection such as $connection = new PDO('mysql:host=localhost;dbname=sample', $user, $pass); into a file and then including it throughout the whole website. This is a lazy idea for programmers. If someone were to access your database connection file, it would still be executed because the lines $connection = new PDO('mysql:host=localhost;dbname=sample', $user, $pass); run a true statment if the connection does not fail. This means people can access your database if they really knew how to because the command lines still are executing. Since others are smart and they want singletons, classes, and methods. They avoid this mess and their database connections are only called when their singletons, classes, and methods are called. The only way to execute a class is to call it in your codes. If someone were to access your file directly, the classes will not be called. Way to get help... Curious though why is PDO exempt from your "class execution only bu calling it in code" rhetoric? How is using a singleton at all an example of a good programmer? Why even bring it up here if you have another "on topic" thread to discuss it? I was typing this as your last post came up....really dude ? Are you here for help or to start a pissing contest? Somewhere, at somepoint you are going to call that marvelous "create a magic connection to my database" class, at which point you will open up siad class object the same way you did by calling the PDO class. Anyway, to answer your "PHP question" here - you don't need to do anything. No one is forcing you to program, although I get why you would fall into such a socialy removed passtime as this with an atitude like yours. The options are there, use what you feel happy using upset's you the least, and don't come on forums and behave like a big boy stole your ball and it's all our fault just becuase you get chalenged on something. Quote Link to comment https://forums.phpfreaks.com/topic/295804-php-question/#findComment-1509775 Share on other sites More sharing options...
ginerjm Posted April 23, 2015 Share Posted April 23, 2015 To answer NotionCommotion: Huh? I have no idea what you are trying reconcile with me. Don't care either. Quote Link to comment https://forums.phpfreaks.com/topic/295804-php-question/#findComment-1509778 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.