Home Accessibility Courses Twitter The Mouth Facebook Resources Site Map About Us Contact
 
For 2021 - online Python 3 training - see ((here)).

Our plans were to retire in summer 2020 and see the world, but Coronavirus has lead us into a lot of lockdown programming in Python 3 and PHP 7.
We can now offer tailored online training - small groups, real tutors - works really well for groups of 4 to 14 delegates. Anywhere in the world; course language English.

Please ask about private 'maintenance' training for Python 2, Tcl, Perl, PHP, Lua, etc.
Robust PHP user inputs

If you write a script in PHP, it's one thing handing benign user inputs, and quite another "bullet proofing" your script against awkward characters (of the "less than" and "double quote" type) entered into form fields where they can lead to problems of the SQL error, echo display corruption and injection attack style.

I use the following diagram on PHP courses to remind trainees of the need to clean us EVERY user entry variable and to process EVERY string that's send out to a database or as part of the HTML response:



Remember that PHP was designed to handle web page work, so this string cleansing can be done with built in functions - there's a function to do that as we say during courses!

Just be aware ... that there are other issues as well as the ones shown in our diagram. If you're looking to write cast iron (squaddie proof) PHP, you'll need to use regular expressions to check that the inputs made of are of the format your program expects, you'll have to ensure that register globals is off or that every variable is initialised, and you'll need to check that users don't enter file names starting with "/" or "../".
(written 2006-02-03, updated 2006-06-11)

Commentatorsays ...
john moylan:Hello Graham.

Just a quick note regarding your diagram.
I thought that the preferred method of escaping prior to insertion into a database is to use database native functions.

e.g. mysql_real_escape_string or pg_escape_string
(comment added 2006-02-04 01:53:15)
Graham Ellis:Yes, I would "go with" those alternatives sometimes, John.

I always worry about using database native functions in case someone wants to change the underlying database though. My own, somewhat longwinded in a short post, pedant preference is to write my own wrapper function, keep it in a required file of helpers, and use it excluselively. This allows for future changes, sitewide, with just a single source edit.
(comment added 2006-02-04 05:12:27)
john moylan:Hello Graham.

>> I always worry about using database native functions in case someone wants to change the underlying database though.
Something you've taught me is to have a love of CPAN, this in turn has created a similar affection for PEAR.
The PEAR DB module is great for this (think Perl's DBI) and its 'quotesmart' method does just this regardless of which db you use. (or change too)

The strange thing now is when I read PHP books that have database code the code feels a little foreign as I never use the native mysql funtions anymore, in fact I never used them in anger at all in any production code.

It's been one of the most timesaving modules I've found as I can code in PEAR DB pretty much as I did in CPAN DBI

Also have a look at HTML_Quickform, I build all my forms with this now.
(comment added 2006-02-05 11:43:23)
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articles
H110 - PHP - HTML Web Page Data Handling
  [50] Current cost in your local currency - (2004-09-16)
  [789] Hot answers in PHP - (2006-07-02)
  [896] PHP - good coding practise and sticky radio buttons - (2006-10-17)
  [1001] .pdf files - upload via PHP, store in MySQL, retrieve - (2006-12-19)
  [1053] Sorting people by name in PHP - (2007-01-26)
  [1136] Buffering output - why it is done and issues raised in Tcl, Perl, Python and PHP - (2007-04-06)
  [1169] Emailing as HTML (Web Page) - PHP example - (2007-04-30)
  [1831] Text formating for HTML, with PHP - (2008-10-11)
  [2025] Injection Attack if register_globals in on - PHP - (2009-02-04)
  [2046] Finding variations on a surname - (2009-02-17)
  [2107] How to tweet automatically from a blog - (2009-03-28)
  [2135] What features does this visitors browser support? (PHP) - (2009-04-22)
  [3036] Sending out an email containing HTML from within a PHP page - (2010-11-07)
  [3926] Filtering PHP form inputs - three ways, but which should you use? - (2012-11-18)

H107 - String Handling in PHP
  [31] Here documents - (2004-08-28)
  [54] PHP and natural sorting - (2004-09-19)
  [337] the array returned by preg_match_all - (2005-06-06)
  [422] PHP Magic Quotes - (2005-08-22)
  [463] Splitting the difference - (2005-10-13)
  [493] Running a Perl script within a PHP page - (2005-11-12)
  [558] Converting between acres and hectares - (2006-01-08)
  [560] The fencepost problem - (2006-01-10)
  [574] PHP - dividing a string up into pieces - (2006-01-23)
  [608] Don't expose your regular expressions - (2006-02-15)
  [642] How similar are two words - (2006-03-11)
  [716] Evaluating arithmetic expressions in configuration files - (2006-05-10)
  [728] Looking ahead and behind in a Regular Expression - (2006-05-22)
  [1008] Date conversion - PHP - (2006-12-26)
  [1058] PHP Regular expression to extrtact link and text - (2007-01-31)
  [1195] Regular Express Primer - (2007-05-20)
  [1336] Ignore case in Regular Expression - (2007-09-08)
  [1372] A taster PHP expression ... - (2007-09-30)
  [1533] Short and sweet and sticky - PHP form input - (2008-02-06)
  [1603] Do not SHOUT and do not whisper - (2008-04-06)
  [1613] Regular expression for 6 digits OR 25 digits - (2008-04-16)
  [1799] Regular Expressions in PHP - (2008-09-16)
  [2165] Making Regular Expressions easy to read and maintain - (2009-05-10)
  [2238] Handling nasty characters - Perl, PHP, Python, Tcl, Lua - (2009-06-14)
  [2629] Curly braces within double quoted strings in PHP - (2010-02-09)
  [3020] Handling (expanding) tabs in PHP - (2010-10-29)
  [3424] Divide 10000 by 17. Do you get 588.235294117647, 588.24 or 588? - Ruby and PHP - (2011-09-08)
  [3515] PHP - moving from ereg to preg for regular expressions - (2011-11-11)
  [3516] Regular Expression modifiers in PHP - summary table - (2011-11-12)
  [3534] Learning to program in PHP - Regular Expression and Associative Array examples - (2011-12-01)
  [3788] Getting more than a yes / no answer from a regular expression pattern match - (2012-06-30)
  [3789] More than just matching with a regular expression in PHP - (2012-06-30)
  [3790] Solution looking for a problem? Lookahead and Lookbehind - (2012-06-30)
  [4071] Setting up strings in PHP - (2013-04-27)
  [4072] Splitting the difference with PHP - (2013-04-27)


Back to
Changing @INC - where Perl loads its modules
Previous and next
or
Horse's mouth home
Forward to
Danny and Donna are getting married
Some other Articles
Finding where the disc space has gone
NOT Gone phishing
Key facts - SQL and MySQL
Danny and Donna are getting married
Robust PHP user inputs
Changing @INC - where Perl loads its modules
Job vacancy - double agent wanted
Perl Regular Expressions - finding the position and length of the match
Looking for Python staff
Loosing breath with Gerald
4759 posts, page by page
Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96 at 50 posts per page


This is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.

Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2021: 48 Spa Road • Melksham, Wiltshire • United Kingdom • SN12 7NY
PH: 01144 1225 708225 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho

PAGE: http://www.wellho.net/mouth/589_Robu ... nputs.html • PAGE BUILT: Sun Oct 11 16:07:41 2020 • BUILD SYSTEM: JelliaJamb