Jump to content


Photo

Cleaning information retrieved from database


  • Please log in to reply
4 replies to this topic

#1 hadoob024

hadoob024
  • Members
  • PipPipPip
  • Advanced Member
  • 192 posts

Posted 12 April 2006 - 08:23 PM

I was reading through this PHP security book and it recommends cleaning/screening/sanitizing information retrieved from the db prior to displaying it. Is this something that everyone recommends, or is it considered overkill?

#2 craygo

craygo
  • Staff Alumni
  • Advanced Member
  • 1,973 posts
  • LocationRhode Island

Posted 12 April 2006 - 08:45 PM

Depends on what you are retrieving. Most of the time text, number don't need and kind of formating or cleaning. but long text fields with say html or line breaks or thing like that would need to be so called "cleaned" to display properly. It all depends on the type of data you are storing.

Ray

#3 hadoob024

hadoob024
  • Members
  • PipPipPip
  • Advanced Member
  • 192 posts

Posted 12 April 2006 - 09:03 PM

Well, this is for a real estate website, so let's see, I have 8 small text fields (like around 30 chars), 2 integer fields, and 1 field for a listing description that's 240 chars max. Like I know to use htmlentities() to clean up these fields for proper display, but do I need to run everything through some eregi() checks or something to validate the information again before displaying it? Or does this all depend on how secure the db server is?

#4 AndyB

AndyB
  • Staff Alumni
  • Advanced Member
  • 5,465 posts
  • LocationToronto

Posted 12 April 2006 - 09:41 PM

I'd suggest re-reading that part of the book. Good practice would be to clean/screen/sanitize data before adding it to the database.
Legend has it that reading the manual never killed anyone.
My site

#5 hadoob024

hadoob024
  • Members
  • PipPipPip
  • Advanced Member
  • 192 posts

Posted 12 April 2006 - 10:06 PM

Yup. I do that too. I check lengths and type of info entered into the form, then I set a variable equal to the $_POST variable passed thru. I then verify it using eregi(). I also use trim(), strip_tags(), etc. And only after it passes all these checks do I actually store the info in the db. But the book suggested that just to be on the safe side, to also then verify the info when it's pulled out of the db but before displaying it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users