A little question about security in user input

Forum Moderators: coopster

Message Too Old, No Replies

A little question about security in user input

I swear I'll quit after this... at least for a while =)

freshrod

7:56 pm on May 15, 2006 (gmt 0)

OK.... this is more of a method question because I've searched around about this a little and everything I see is either overly simple or overly complicated.

I have a bunch of user input (basically that's all this site is about) and I mainly want to protect myself from someone adding some bad code in there. I think I can do most of this with htmlentities() or htmlspecialchars(). I've noticed that some also recommend stripslashes() and str_ireplace().
I guess I mainly want to protect from '<', '>', '$', and ';'.

The other thing is that it would be nice if there was a way to write a function to check all the input, since I have a lot of fields. The data is getting passes from the form by way of POST before it is INSERTed into the DB.
Is there an easy, straight forward way to do this?

eelixduppy

9:33 pm on May 15, 2006 (gmt 0)

All of the predefined functions you mentioned, with the exception of stripslashed() are fine to use. Instead of stripslashes you want to addslashes [us2.php.net], to escape quotation marks etc... As for replacing '<', '>', '$', and ';', you can do something like this:

$bad_chars = array('<', '>', '$',';');
str_replace [us2.php.net]($bad_chars, "", $text_to_search);

Good luck!

eelix

jatar_k

5:23 pm on May 17, 2006 (gmt 0)

actually if you are inserting into mysql you must use mysql_real_escape_string [php.net] not addslashes