Sanitizing PHP theory

Forum Moderators: coopster

Message Too Old, No Replies

Sanitizing PHP theory

mysql escape string

Adam5000

1:02 pm on Oct 4, 2010 (gmt 0)

The registration form I'm creating is almost done. Next I'm adding security to defend against a MySql injection attack.

I've read some about the function mysql_real_escape_string() What does that function do?

omoutop

1:07 pm on Oct 4, 2010 (gmt 0)

according to php.net:

Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used.

Also take note at the bottom notes:

If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice.

More info: [php.net...]

Matthew1980

8:06 pm on Oct 4, 2010 (gmt 0)

hi there Adam5000,

Sanitising data from form submission isn't reliant just on the function that you quote, as all this does is just add slashes to quotes to make them sql safe, there are other methods available, and this is where you need to research at what you should allow/convert and/or make the exception for.

Strip_tags() is the most useful against removal of html tags, and trim() is useful for getting rid of whitespace - but as each project is different, you will need to assess and see what you need to use.

There are other functions, and for example checking validity of email, this function eleviates the use of preg_ functions (Credit to Readie for this too!):-

if(!filter_var($input, FILTER_VALIDATE_EMAIL)){
echo "Email address not valid format";
}
else{
echo "Email address valid format";
}

You get the Idea there...

Have fun finding new ways of protecting your hard work

Cheers,
MRb

Adam5000

9:52 pm on Oct 4, 2010 (gmt 0)

omoutop: That's good information and gives me food for thought.

Matthew: I understand what you're saying. Sanitizing simply involves checking the user input to make sure it only contains the characters it's supposed to contain.

Or in other words sanitizing involves checking the user input to make sure it DOESN'T contain any characters (malicious or accidental) that foul up or manipulate the database.

That's a good idea.

When creating passwords for myself, for example the password for my hosting site, I've noticed that certain characters are not allowed. And now I know why.

I've got a plan and it seems pretty simple. And after I thought about it I found myself saying "This is too easy to work." I've got most of the code but there's one part I'm not quite sure about. New post coming up.

Adam5000

10:03 pm on Oct 4, 2010 (gmt 0)

Sanitizing reminds me of a comedy scene I saw on television that I got a grin out of. I think it starred Don Knotts (Barney Fife) as a naive computer user. He accidentally entered a bad character and fouled everything up.

Adam5000

10:08 pm on Oct 4, 2010 (gmt 0)

I'll call this part "The Barney Fife" code. Smile.