Hi all,
I have some forms on which user must enter some data. This data is sometimes used to be inserted/updated in the database, and sometimes to query it with a SELECT.
The scripts that do that, does not accept html code to be entered. I think with that we have some issues solved.
My way for doing it is:
Have magic_quotes_gpc = ON (Info is automatically slashed when received by the script) If magic_quotes_gpc is off at the server, I manually apply addslashes() to the entered data.
Also, I pass the entered data with strip_tags() and htmlspecialchars()
The code is something like that:
$uservar = $_POST['uservar']; $uservar = htmlspecialchars(strip_tags($uservar));
You don't need to use strip_tags _and_ htmlspecialchars()... unless you want strip_tags to get rid of such malicious and deadly content such as <grin> and <wow>. Just use htmlspecialchars().
$securevar = (magic_quotes_gpc) ? $uservar : addslashes($uservar);
$securevar = (get_magic_quotes_gpc()) ? $uservar : addslashes($uservar);
When the expected value is an INT, just apply intval():
$securevar = $intval($uservar);
$securevar = intval($uservar);
Well, I'd like to know if this can be considered secure enough to pass the $securevar to the database, or I should consider something more to be checked before.
It'll be safe to put into a database at this point, with the changes above.
--
John Holmes
php|architect - The magazine for PHP professionals - http://www.phparch.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
