Hello Bruce
on 09/22/2005 03:05 PM bruce said the following:
for simplicity. let's deal wit a simple user input form, that's going to
place the information in a db.
if the app allows the user to enter the input (call it 'foo') and then
submits the form via a POST, where the data is then written to the db, what
kind of validation should occur? and where should the validation take place?
for my $0.02 worth, there should be be validation of the 'foo' var, to
determine if the var is legitimate. there should also be validation/filterin
of the var when it's placed in the db_sql command...
my question (and it's basic), what validation should be performed on the
'foo' var, and why? i've seen htmlspecialchars/magic_quotes/etc.. in varius
articles, but i can't find a definitive answer!!
Have you tried the forms validation class that you asked me and I sent you?
http://www.phpclasses.org/formsvalidation
It does what you need. Namely it uses HtmlEntities() to escape special
characteres in input values and so it prevents cross-site scripting
(XSS) exploits.
It also performs additional checks for values passed on hidden fields
that could be used to exploit your sites.
As for magic_quotes, that class also remove them automatically in case
any values are passed with that enabled. Generally you should disable
magic_quotes if you can because it is not an useful feature.
also, when inserting/updating a db item, what is the 'correct' process for
data? should all data that gets inserted into a db be quoted? if it should,
what's the 'standard' practice?
In general you should perform rigorous form validation to prevent
accepting malicious values and then escape string values to prevent SQL
injection attacks or other SQL errors.
That depends on the database you are using. I use Metabase, which is a
database independent abstraction package to access SQL databases that
performs the correct quoting and escaping according to the databse you use.
http://www.phpclasses.org/metabase
--
Regards,
Manuel Lemos
PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
PHP Reviews - Reviews of PHP books and other products
http://www.phpclasses.org/reviews/
Metastorage - Data object relational mapping layer generator
http://www.meta-language.net/metastorage.html
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
