PHP Security: Sanitizing Strings, Validating Values, and Interrogating Integers

first_imgben barden Tags:#hack#tips Trust no-one. Not just a tag-line for The X-Files, it’s also sound advice when dealing with data supplied by users.Whether a user is trying to do something nasty or they’ve just hit an unfortunate combination of keys, you shouldn’t assume that what you’re saving is trouble-free. Here are some tips for validating input in your PHP application.Numbers OnlyZend Framework has a handy class called Zend_Filter_Int that will take a value and strip out any non-numeric characters. Or, you could do something like this:$output = preg_replace(“/[^0-9-.]/”, “”, $data);This will allow negative numbers and decimal points.Strip Tags, Display TagsDon’t want any HTML? Use strip_tags. If you’d prefer to display HTML tags so a user can share a code snippet, use htmlspecialchars and the code won’t be parsed.Escaping Strings in MySQLUse mysql_real_escape_string to escape strings before sending them to MySQL. Or, use PDO and bind values to fields.Use filter_inputInstead of using $_GET[‘id’], how about using filter_input instead?$itemId = filter_input(INPUT_GET, ‘id’, FILTER_SANITIZE_SPECIAL_CHARS);You can use INPUT_POST, INPUT_COOKIE, INPUT_SERVER, or INPUT_ENV too.What other methods do you use for sanitizing user input?Photo by dheuer 7 Types of Video that will Make a Massive Impac… Related Posts center_img Why You Love Online Quizzes How to Write a Welcome Email to New Employees? Growing Phone Scams: 5 Tips To Avoidlast_img

Leave a Reply

Your email address will not be published. Required fields are marked *