All-in-all, what steps should be taken to insure a safe input.
There are many precautions, can anybody fill me in on the rest. - Trim white spaces
- Check for invalid characters
- Make string to lowercase (in some cases)
Is there anything that I missed?
6 1933
All-in-all, what steps should be taken to insure a safe input.
There are many precautions, can anybody fill me in on the rest. - Trim white spaces
- Check for invalid characters
- Make string to lowercase (in some cases)
Is there anything that I missed?
hiya
strip slashes
strip tags
and there is no way you can be 100% safe :P
Can somebody please make a function that does it all.
Atli 5,058
Recognized Expert Expert
Hi.
I usually just run the input through the htmlspecialchar s function. It converts all HTML tags into characters that the browser will display as text rather than parse into something nasty. Does nicely unless I am looking for something more specific, like SQL injection or something like that.
This, as well as everything else, is never 100% safe, but it will neutralize most attempts to harm blogs and forums. People that do that kind of stuff are usually idiots trying to impress other idiots by showing of their non-existing hacking skills. I won't loose much sleep worrying about that.
If you were to specify what kind of input you are talking about we might have some more specific answers.
- function secureData($string, $lowercase = false)
-
{
-
$string = trim($string);
-
$sting = htmlspecialchars($string);
-
-
if ($lowercase)
-
$string = strtolower($string);
-
-
$string = stripslashes($string);
-
-
return $string;
-
}
call it like: -
$sting = secureData($string, false);
- function secureData($string, $lowercase = false)
-
{
-
$string = trim($string);
-
$sting = htmlspecialchars($string);
-
-
if ($lowercase)
-
$string = strtolower($string);
-
-
$string = stripslashes($string);
-
-
return $string;
-
}
call it like: -
$sting = secureData($string, false);
If only I could spell -
function secureData($string, $lowercase = false)
-
{
-
$string = trim($string);
-
$string = htmlspecialchars($string);
-
-
if ($lowercase)
-
$string = strtolower($string);
-
-
$string = stripslashes($string);
-
-
return $string;
-
}
call it like: -
$string = secureData($string, false);
I wanted to retrieve a simple alphanumeric string through URL.
This is what I made, (and again, every case is different, and you'll never be %100 safe):
[PHP]
function clean($str){
$str=strtolower ($str);
$str=trim($str) ;
$str=htmlspecia lchars($str);
$str=preg_repla ce('/[^A-Za-z0-9 ]/', '', $str);
$str=stripslash es($str);
return $str;}[/PHP]
Calling it:
[PHP]$id = clean($_REQUEST['id']);[/PHP]
What's your opinion? Fine?
Sign in to post your reply or Sign up for a free account.
Similar topics |
by: Derek Fountain |
last post by:
I was just writing a sanitisation route for a bit of user input. The data is
an English text description of a product, and will go into a DB, then back
out to other user's browsers.
As per normal practise, I was working on the basis of leaving in all
characters that I considered safe and stripping out everything else. This
led me to think of what characters are actually safe, given that the user
will want to be able to use at least basic...
|
by: Ramius |
last post by:
I have a php page that needs to make a system() call to a perl app. I
need to send user-entered search terms as parameters to the perl app,
and then capture the output from perl, do some light processing on it,
and then embed that into the php page.
I know how to do it, but this is not a controlled environment like a
LAN or a personal PC, so I am very paranoid about the risks of making
the system() call with user-supplied input. I know...
|
by: Irmen de Jong |
last post by:
Pickle and marshal are not safe. They can do harmful
things if fed maliciously constructed data.
That is a pity, because marshal is fast.
I need a fast and safe (secure) marshaler.
Is xdrlib the only option?
I would expect that it is fast and safe because
it (the xdr spec) has been around for so long.
Or are there better options (perhaps 3rd party libraries)?
|
by: Eric Boutin |
last post by:
Hi ! I was wondering how to quickly and safely use a safe scanf( ) or gets
function... I mean.. if I do :
char a;
scanf("%s", a);
and the user input a 257 char string..
that creates a problem.. same for gets..
even if you create a char array that's 99999999999999 char long.. if the
user input something longer it will still be a bug.. and I don't want
|
by: ais523 |
last post by:
I use this function that I wrote for inputting strings. It's meant to
return a pointer to mallocated memory holding one input string, or 0 on
error. (Personally, I prefer to use 0 to NULL when returning null
pointers.) It looks pretty watertight to me, but my version of lint
complains about use of deallocated pointers, etc. Is this code
completely safe on all input, or have I missed something?
/* Header files included in the program...
| |
by: Need2CSharp |
last post by:
Hi All,
Following is a quote from an article on MSDN.
Article Title: Safe, Simple Multithreading in Windows Forms
URL:
http://msdn.microsoft.com/library/en-us/dnforms/html/winforms06112002.asp?frame=true
Language: C#
|
by: laredotornado |
last post by:
Hi,
I'm using PHP 4.4.4 on Apache 2 on Fedora Core 5. PHP was installed
using Apache's apxs and the php library was installed to
/usr/local/php. However, when I set my "error_reporting" setting to be
"E_ALL", notices are still not getting reported. The perms on my file
are 664, with owner root and group root. The php.ini file is located
at /usr/local/lib/php/php.ini. Any ideas why the setting does not seem
to be having an effect? ...
|
by: Xavoux |
last post by:
Hello all...
I can't remind which function to use for safe inputs...
gets, fgets, scanf leads to buffer overflow...
i compiled that code with gcc version 2.95.2, on windows 2000
char tmp0 = "ABCDEFGHI\0";
char buff; /* Input buffer. */
char tmp1 = "ABCDEFGHI\0";
|
by: lwhitb1 |
last post by:
Does anyone have any input on setting up my CAB application so that the
application is thread safe, and cached appropiately? I read that this
can be managed through Services, and dynamic injection. On the
contrary, I was told that this can be handled using Enterprise Library
cached application block. Last, but not least, i read you can implement
this at the class level, creating immutable classes, and caching them
accordingly. Any...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |