10-30-2007, 12:16 AM
|
#4 (permalink)
|
|
The Wanderer
Join Date: Sep 2007
Location: Wales - UK
Posts: 8
Thanks: 0
|
This is what I use my self...
PHP Code:
//I send pretty much everything through the following when entering data into the database:
function safeAll($string)
{
$string = trim($string);
$string = mysql_real_escape_string($string);
$string = htmlentities($string, ENT_QUOTES);
return $string;
}
//Coming out of the database I run appropriate data through this:
function convertHtml($string)
{
return html_entity_decode($string, ENT_QUOTES);
}
//Clean input:
safeAll($_POST/GET['text_to_db']);
//Convert output:
convertHtml($output['output_txt_from_db_query']);
If there is anything wrong with this or if there can be any additions to the functions then please let me/others know about it.:)
Also if your expecting a number to be submitted either via POST or GET then I personally do the following:
PHP Code:
if(!ctype_digit($_GET[id]))
{
//Above: if you did: if(!(int)$_GET[id]) then something such as 5k55 or 5.5 would get through
//ctype_digit will ONLY accept whole numbers.
echo "A nice error message";
}
else
{
carry on doing what it is you want to do.
}
For me securing and validating user input is what takes most of the time when scripting with PHP. It can be quite involved, but if done correctly (hope mine are ok) you should have pretty secure scripts/systems.
Last edited by Dorza : 10-30-2007 at 12:48 AM.
|
|
|
|