[PHP] User data validation
After searching Google, reading the PHP manual, PHP mailing list archives, looking for clues on SANS and Security Focus, I have yet to find an answer to my question. I have a section in a form for a user to enter comments and or questions. What should I be checking for, from a security standpoint, with my PHP script? The information will be both inserted into a database (MySQL) and sent via email. I have found examples for items such as phone numbers, addresses, email, etc., but nothing in regards to comments. Any direction would be greatly appreciated. Thank you, Steven -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User data validation
No checks are needed. PHP automatically escapes single quotes for MySQL queries assuming you have magic_quotes_gpc on, which means that if you want to send the same thing by email using PHP's mail() function you just have to call stripslashes() on the data. There are no magical characters that will let someone escape out of either scenario. -Rasmus On Mon, 19 Aug 2002, Steven wrote: After searching Google, reading the PHP manual, PHP mailing list archives, looking for clues on SANS and Security Focus, I have yet to find an answer to my question. I have a section in a form for a user to enter comments and or questions. What should I be checking for, from a security standpoint, with my PHP script? The information will be both inserted into a database (MySQL) and sent via email. I have found examples for items such as phone numbers, addresses, email, etc., but nothing in regards to comments. Any direction would be greatly appreciated. Thank you, Steven -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User data validation
I have a proccess where a user submits the data, data is run through checks, validation etc , then stored in a session. then the user goes to confirmation page where they hit submit to verify the details are correct. when they hit submit they go to another script that pulls the session variables. My question is: should i run the data through validation again or can i be assured that the data is a ok because it was already validated ,stored in a session and then pulled from a session. Randy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User data validation
You do not need to revalidate. The data is not coming from the user. On Mon, 19 Aug 2002, Randy Johnson wrote: I have a proccess where a user submits the data, data is run through checks, validation etc , then stored in a session. then the user goes to confirmation page where they hit submit to verify the details are correct. when they hit submit they go to another script that pulls the session variables. My question is: should i run the data through validation again or can i be assured that the data is a ok because it was already validated ,stored in a session and then pulled from a session. Randy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php