Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Best way to sanitize / filter user input?
#1
The script I'm creating, like most, involves a lot of user input. What php filters should I use to sanitize the input that will be inserted into a database.
Robert Picard
http://www.rpicard.net
Reply
#2
http://php.net/manual/en/function.mysql-...string.php
http://php.net/manual/en/function.addslashes.php

You could also create an array with unwanted queries, and, if the input contains anything in the array, echo "invalid input";

Those are the first two ideas, but, if you have an imagination, you can come up with different, and fun, ways of protecting input.
Reply
#3
Thanks for the info. I'll check them out.
Robert Picard
http://www.rpicard.net
Reply
#4
Do not use addslashes() , because it can be bypassed easily , use mysql_real_escape_string() or mysqli_real_escape_string() if you are using mysqli
Reply
#5
One of the best things you can do is to create your own function to quick sanitize input. This will allow you a greater degree of control and options plus you can upgrade and alter your sanitize function which will work across your whole site.

Look into this too:
http://us2.php.net/manual/en/ref.filter.php

That's only php 5 compatible but it looks great. Lots of options to filter input.

Pretty cool stuff: http://us2.php.net/manual/en/filter.filt...nitize.php
Superman I am here to rescue you.
This is Support Forums not Support PMs.  Do not PM me for support unless it's private and site related.
Reply
#6
Yeah was about to say that, make a function. Will try and dig one up I created.
Reply
#7
(06-06-2010, 09:41 AM)Omniscient Wrote: One of the best things you can do is to create your own function to quick sanitize input. This will allow you a greater degree of control and options plus you can upgrade and alter your sanitize function which will work across your whole site.

Look into this too:
http://us2.php.net/manual/en/ref.filter.php

That's only php 5 compatible but it looks great. Lots of options to filter input.

Pretty cool stuff: http://us2.php.net/manual/en/filter.filt...nitize.php

That's a good idea. Thanks.
Robert Picard
http://www.rpicard.net
Reply
#8
Also a very handy way of sanitizing is using the strip_tags() function from PHP. This will strip all tags and an optional parameter to include tags not to be stripped.

http://www.php.net/strip_tags

This is very useful if you do not want any <script> etc. tags in your user input.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  PHP email input form - having trouble getting the form to work... abayindi 4 2,733 03-19-2012, 10:02 AM
Last Post: RainbowDashFTW
  PHP Form to Email (And the form input as VCF Attachment)? VypeR 1 3,871 10-27-2010, 06:01 AM
Last Post: VypeR
  User Management Script - User Cake Support 9 5,623 05-13-2010, 03:21 PM
Last Post: Julie

Forum Jump:


Users browsing this thread: 1 Guest(s)