Looking For Fashion?




PHP Security: Sanitizing Strings, Validating Values, and Interrogating Integers


Trust no-one. Not just a tag-line for The X-Files, it’s also sound advice when dealing with data supplied by users.

Whether a user is trying to do something nasty or they’ve just hit an unfortunate combination of keys, you shouldn’t assume that what you’re saving is trouble-free. Here are some tips for validating input in your PHP application.

Numbers Only

Zend Framework has a handy class called Zend_Filter_Int that will take a value and strip out any non-numeric characters. Or, you could do something like this:

$output = preg_replace("/[^0-9-.]/", "", $data);

This will allow negative numbers and decimal points.

Strip Tags, Display Tags

Don’t want any HTML? Use strip_tags. If you’d prefer to display HTML tags so a user can share a code snippet, use htmlspecialchars and the code won’t be parsed.

Escaping Strings in MySQL

Use mysql_real_escape_string to escape strings before sending them to MySQL. Or, use PDO and bind values to fields.

Use filter_input

Instead of using $_GET[‘id’], how about using filter_input instead?

$itemId = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_SPECIAL_CHARS);

You can use INPUT_POST, INPUT_COOKIE, INPUT_SERVER, or INPUT_ENV too.

What other methods do you use for sanitizing user input?

Photo by dheuer

The post PHP Security: Sanitizing Strings, Validating Values, and Interrogating Integers appeared first on ReadWrite.