On 03/09/2003 04:18 PM, Chris Cook wrote:
When using forms, when do I have to worry about cleaning up user data? I know to use escapeshellarg() when using system functions, but how about when using the user data for database inserts? Also, if I do not insert the data into the database or use any system commands, do I still need to clean the data?
Of course you have to assure that data used in SQL queries is formatted properly or else your applications may be vulnerable to hacker exploits often known as SQL injections.
If you need to validate form data to assure it is formatted properly, you may want to try this forms generation and validation class that does most of the work for you:
http://www.phpclasses.org/formsgeneration
Data to be inserted in text fields also needs to be properly quoted and escaped to prevent SQL injection of commands that make your database execute arbitrary actions that may compromise your server security.
Database text data quoting depends on the database you use. If you use a database abstraction layer package like this you may call a function to do the appropriate quoting independently of the type of database you use:
http://www.phpclasses.org/metabase
--
Regards, Manuel Lemos
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
