NYCPHP Meetup

NYPHP.org

[nycphp-talk] Filtering form input

Aaron Fischer agfische at email.smith.edu
Fri Jul 28 10:43:33 EDT 2006


Thanks Chris et al., that's very helpful information.

-Aaron


csnyder wrote:
>>
>>Would appreciate any advice or recommendations for how to proceed with
>>either method #1 or #2.  At this point I would be satisfied with minimal
>>improvements to security as it would be a step in the right direction
>>and I can improve my filtering techniques during the next project.
>>
>>Thanks,
>>
>>-Aaron
> 
> 
> 
> The complexity of the solution depends one what, exactly, you need to
> accomplish. Assuming you are working on a PHP+MySQL application, the
> simplest possible approach is just to use mysql_real_escape_string()
> on all values that are inserted into the database, and htmlentities()
> on all values that come out of the database for display on a web page.
> 
> This is all that "security" really demands.
> 
> You may also wish to avoid any error messages that might occur when
> your application tries to insert a string into an integer field. The
> is_numeric() function is great for this. I advise against using the
> ctype functions, as they are somewhat counterintuitive when it comes
> to checking empty values.
> 
> It's also a good idea to check the length of strings before inserting
> them into varchar fields, using the strlen() function. MySQL won't
> throw an error if you insert a string that's too long; you'll only
> find out later that the string was truncated and the data lost.
> 
> Beyond security, the smooth functioning of your application probably
> depends on using some techniques to determine that user-submitted
> values match expected input, such as strings without punctuation (for
> filenames), choices from a predetermined list of values (use
> in_array()), or strings that look like email addresses.
> 
> Email addresses are about the only thing you need complex regex for;
> John Coggeshall wrote a tutorial on this that has a good, simple test:
> http://www.zend.com/zend/spotlight/ev12apr.php
> Avoid the temptation to ask the MX server whether the address exists;
> most servers these days refuse to give any sort of definitive answer.
> 
> 



More information about the talk mailing list