homepage Welcome to WebmasterWorld Guest from 54.197.111.87
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
PHP-mySQL field validation?
Trying to let the user directly input html code into db...
gutabo




msg:1249786
 5:55 pm on Nov 29, 2002 (gmt 0)

Here I am again...
Anybody can help me? I have a mySQL db that needs to be updated form a browser anywhere (with some PHP aid)...so I need to validate a textarea input like

update ... values(foo=".$textareaname.");

I have to validate the $textareaname variable so it won't set illegal chars that would generate a mySQL command syntax error (i.e. ' )...
The user is supposed to be able to insert HTML code into the field so it will be generated in "his" page...

Help me pleaaase!

 

jatar_k




msg:1249787
 6:34 pm on Nov 29, 2002 (gmt 0)

You could try something like mysql_escape_string [php.net]

lorax




msg:1249788
 6:55 pm on Nov 29, 2002 (gmt 0)

gutabo,
You might want to also consider looking into addslashes(). It will escape most of the common characters that MySQL chokes on single quote ', double quote ", backslash \ and NUL.

[php.net...]

aspr1n




msg:1249789
 2:30 am on Dec 2, 2002 (gmt 0)

If I remember correctly - you might like also to look at htmlspecialchars() which will encode any html as their entity counterparts.

The html code of course will not be 'executed'. If you want their html code to actually be exectuted, and are not concerned about how the page presentation may be affected, then addslashes()& StripSlashes() is the way to go.

asp

andreasfriedrich




msg:1249790
 2:47 pm on Dec 2, 2002 (gmt 0)

There are really two problems that you need to address:

malicious SQL code
A user might insert malicious SQL code into your form. This is solved by escaping backslashes, null-bytes and single quotes with the addslashes function. If magic_quotes_gpc is on then PHP will automatically escape those characters in all data from GET and POST actions and from COOKIEs.

malicious HTML code
A user might insert malicious HTML and JavaScript code into your form which is executed when a surfer views the page with a javascript enabled browser. To solve this problem escape <>"' with their html entities. If you want your users to use some kind of markup then I would suggest using style codes like the ones used in this and many other forums. All html markup that the user enters will be escaped, only the style codes will be transformed to html markup. This way you have control over which kind of markup you allow. The other approach would be to use a html parser to parse the html entered by the user and check that prior to inserting it into the db. With this approach you will only find known malicious code (less restrictive, less save, more coding), while with the latter approach you will allow only known good code (more restrictive, saver, easier to code).

Andreas

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved