a little rusty on protecting input

nick · 01-10-2011, 09:17 PM

I've got some PHP code inserting things into a database....

I'm a little rusty on how to protect the data to prevent XSS and SQL injections, looking for some tips.

PHP Code:

  $userid = $_GET['userid'];

????: NamePros.com http://www.namepros.com/programming/695926-a-little-rusty-on-protecting-input.html
$strangerid = $_GET['strangerid'];

$message = clean($_GET['message']);

 
// and then clean() here:

/* functions used throughout the script */

function clean($data)

{

    global $mysqli;

    

    if (get_magic_quotes_gpc())

    {

        $data = stripslashes($data);

    }

    return strip_tags($mysqli->escape_string($data));

}

Would is_numeric() be efficient for userid/strangerid?

and

Is clean() good enough?

baxter · 01-11-2011, 07:08 AM

is_numeric just tells you if it is a number it doesn't actually sanitize the data held by that variable.

To ensure that the variable is a integer do the following:

PHP Code:

  $userid = intval($_GET['userid']);

$strangerid = (int) $_GET['strangerid'];

Either method will cast the value to an integer
????: NamePros.com http://www.namepros.com/showthread.php?t=695926

Cheers,

Jay

nick · 01-11-2011, 10:13 AM

Thank You baxter

i'll give that a go

eagle12 · 01-11-2011, 04:47 PM

Look up prepared statments, and if it is a bigger project, something like pear dataobject to abstract your data is efficient.

01-10-2011, 09:17 PM	THREAD STARTER #1 (permalink)
nick NamePros Regular Join Date: Jun 2004 Location: Iowa City Posts: 703	a little rusty on protecting input I've got some PHP code inserting things into a database.... I'm a little rusty on how to protect the data to prevent XSS and SQL injections, looking for some tips. PHP Code: $userid = $_GET['userid']; ????: NamePros.com http://www.namepros.com/programming/695926-a-little-rusty-on-protecting-input.html $strangerid = $_GET['strangerid']; $message = clean($_GET['message']); // and then clean() here: /* functions used throughout the script */ function clean($data) { global $mysqli; if (get_magic_quotes_gpc()) { $data = stripslashes($data); } return strip_tags($mysqli->escape_string($data)); } Would is_numeric() be efficient for userid/strangerid? and Is clean() good enough? __________________ formally ninedogger ------ Want to talk to a stranger? -->\| Click Here \| TalkToAStranger.com \| <-- Meet New Friends

01-11-2011, 07:08 AM	#2 (permalink)
baxter NamePros Regular Join Date: Apr 2006 Posts: 360	is_numeric just tells you if it is a number it doesn't actually sanitize the data held by that variable. To ensure that the variable is a integer do the following: PHP Code: `$userid = intval($_GET['userid']); $strangerid = (int) $_GET['strangerid'];` Either method will cast the value to an integer ????: NamePros.com http://www.namepros.com/showthread.php?t=695926 Cheers, Jay __________________ Canadian Domain Registrar Ready.ca

01-11-2011, 10:13 AM	THREAD STARTER #3 (permalink)
nick NamePros Regular Join Date: Jun 2004 Location: Iowa City Posts: 703	Thank You baxter i'll give that a go __________________ formally ninedogger ------ Want to talk to a stranger? -->\| Click Here \| TalkToAStranger.com \| <-- Meet New Friends

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
I Need Your Input	DebacleX	Programming	6	12-09-2008 07:39 PM
Database Question	Zona	Website Development	2	10-08-2008 07:48 PM
How to prevent form input from another website sending vars to mine?	thenext88	Programming	9	08-23-2008 01:27 PM
Thanks for any input on the following Domains.	nhay	Domain Appraisals	0	01-19-2007 12:33 PM
Do you guys think that to input NNN is much faster than input generic words or LLL?	owntype	"Short" Domain Discussion	2	10-13-2006 10:01 AM

01-11-2011, 04:47 PM	#4 (permalink)
eagle12 NamePros Member Join Date: Nov 2003 Location: Ontario, Canada Posts: 127	Look up prepared statments, and if it is a bigger project, something like pear dataobject to abstract your data is efficient.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)