Could ya'll repost any responses to this. Apparently, my new email address wasn't subscribed to the mailing list.
_____ From: Michele Waldman [mailto:[EMAIL PROTECTED] Sent: Friday, November 28, 2008 2:06 PM To: 'NYPHP Talk' Subject: User Input Data scrubbing I'm trying to scrub data input to insert into a database which I will later display on the website. In order to prevent sql injections and html injections into the code, I figured I'd just replace non alphanumeric characters with their html special character codes and remove any control characters all together except carriage return. The ascii character codes only go up to 255. However, there are lots more characters in html. If the user creates a string from which was generated using html using characters outside of the ascii character codes, what do those get translated to in the string? A garage character? Is that a concern? Or is my only concern those 255 characters in the ascii chart? I'm thinking the 255 characters covers it all. The characters are a finite set which were long ago predefined, unless that changes in the future, right? This means scrubbing the data is a short function. I'm not using mysql_real_escape_string, because I replace all ' and " with their html character code. I'm not using htmlspecialchars, because it wasn't thorough enough. I simply wrote a function that replaces just about every character with it's html character code. I'm doing this in php after the data is passed to me. Now, in the case of ajax, I just need to come up with a good approach for checking the data received from php, which may vary depending on the type of ajax used. Michele
_______________________________________________ New York PHP User Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/show_participation.php
