11-17-2007, 01:09 PM
|
#11 (permalink)
|
|
The Prestige
Join Date: Sep 2007
Location: Sweden, Stockholm
Posts: 1,080
Thanks: 115
|
Quote:
Originally Posted by Karl
Hi Jmz, as a general rule, for a secure application you should always filter input and escape output (you'll hear that tip again and again). Basically, that means that if you're expecting a string from a form, ensure the data you get really is a string. If you're outputting data to a database, make sure you escape it first using mysql_escape_string(). Following these two rules will make your application a lot more secure.
So let's say that you are expecting szUsername and szPassword from $_POST, you could filter these using the built in filter functions:
PHP Code:
$aFilterOptions = array
(
'szEmail' => FILTER_SANITIZE_EMAIL,
'szPassword' => FILTER_SANITIZE_STRING
);
$aFiltered = filter_input_array(INPUT_POST, $aFilterOptions);
Then you simply escape the values before using them in your query, such as:
PHP Code:
$szSql = sprint(" SELECT
*
FROM
members
WHERE
username = '%s' AND
password = '%s'",
mysql_escape_string($aFiltered['szUsername']),
mysql_escape_string($aFiltered['szPassword']))
|
You didn't use username in the $aFilterOptions.
But anyways, does the fieldname have to the same as the ones used in the array $aFilterOptions ??
So if you have
PHP Code:
$aFilterOptions = array(
'email' => blablabla whatever
);
You have to have like this?
HTML Code:
<form action="ble.php" method="POST">
<input type="text" name="email">
</form>
?? |
|
|
|