Forum Moderators: coopster
How do I get my data from the $_post array to my database in a way that is safe and secure?
This problem has been frustrating me for a week now, I've been unable to find answers that make any sense to me for something that seems like it should be a common process.
I am using postgresql
From what I have found it seems like I want to use 'prepared statements' to prevent sql injection, but other than the php manual for pg_prepare or pg_query_params I can't find anything about how to actually do this in the real world.
Except for about 5 elements all the questions on the form are optional.
I am fairly stupid about this topic so a great deal of hand holding would be appreciated because as I get more frustrated the more useless I am becoming at solving my problem.
for each $_POST['var'], decide if it valid/accepted, clean it and make sure its safe to insert into your db (more on this on our library here [webmasterworld.com]
I dont know the commands on postgresql, but the logic behind is same
Database injection and Cross Site Scripting (XSS) have little to do with the actual database interaction, but they have a lot to do with cleansing user input. mysql_real_escape_string() and other PHP database methods help, but they are not a one off solution. A malicious user can still potentially inject bad data, say, an XSS string or the well known "hidden content" Javascript that is appearing in Blogs, Wordpress sites, etc.
My point is it doesn't matter if your site is interacting with a database or is a plain mailer - if it accepts user input, this is what you need to filter. Throw everything away but what you absolutely expect as input, then apply filters on that for malicious patterns.
THEN pass it on to your database.
