Home Accessibility Courses Twitter The Mouth Facebook Resources Site Map About Us Contact
Robust PHP user inputs

If you write a script in PHP, it's one thing handing benign user inputs, and quite another "bullet proofing" your script against awkward characters (of the "less than" and "double quote" type) entered into form fields where they can lead to problems of the SQL error, echo display corruption and injection attack style.

I use the following diagram on PHP courses to remind trainees of the need to clean us EVERY user entry variable and to process EVERY string that's send out to a database or as part of the HTML response:



Remember that PHP was designed to handle web page work, so this string cleansing can be done with built in functions - there's a function to do that as we say during courses!

Just be aware ... that there are other issues as well as the ones shown in our diagram. If you're looking to write cast iron (squaddie proof) PHP, you'll need to use regular expressions to check that the inputs made of are of the format your program expects, you'll have to ensure that register globals is off or that every variable is initialised, and you'll need to check that users don't enter file names starting with "/" or "../".
(written 2006-02-03, updated 2006-06-11)

Commentatorsays ...
john moylan:Hello Graham.

Just a quick note regarding your diagram.
I thought that the preferred method of escaping prior to insertion into a database is to use database native functions.

e.g. mysql_real_escape_string or pg_escape_string
(comment added 2006-02-04 01:53:15)
Graham Ellis:Yes, I would "go with" those alternatives sometimes, John.

I always worry about using database native functions in case someone wants to change the underlying database though. My own, somewhat longwinded in a short post, pedant preference is to write my own wrapper function, keep it in a required file of helpers, and use it excluselively. This allows for future changes, sitewide, with just a single source edit.
(comment added 2006-02-04 05:12:27)
john moylan:Hello Graham.

>> I always worry about using database native functions in case someone wants to change the underlying database though.
Something you've taught me is to have a love of CPAN, this in turn has created a similar affection for PEAR.
The PEAR DB module is great for this (think Perl's DBI) and its 'quotesmart' method does just this regardless of which db you use. (or change too)

The strange thing now is when I read PHP books that have database code the code feels a little foreign as I never use the native mysql funtions anymore, in fact I never used them in anger at all in any production code.

It's been one of the most timesaving modules I've found as I can code in PEAR DB pretty much as I did in CPAN DBI

Also have a look at HTML_Quickform, I build all my forms with this now.
(comment added 2006-02-05 11:43:23)
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articles
H107 - String Handling in PHP
  [4072] Splitting the difference with PHP - (2013-04-27)
  [4071] Setting up strings in PHP - (2013-04-27)
  [3790] Solution looking for a problem? Lookahead and Lookbehind - (2012-06-30)
  [3789] More than just matching with a regular expression in PHP - (2012-06-30)
  [3788] Getting more than a yes / no answer from a regular expression pattern match - (2012-06-30)
  [3534] Learning to program in PHP - Regular Expression and Associative Array examples - (2011-12-01)
  [3516] Regular Expression modifiers in PHP - summary table - (2011-11-12)
  [3515] PHP - moving from ereg to preg for regular expressions - (2011-11-11)
  [3424] Divide 10000 by 17. Do you get 588.235294117647, 588.24 or 588? - Ruby and PHP - (2011-09-08)
  [3020] Handling (expanding) tabs in PHP - (2010-10-29)
  [2629] Curly braces within double quoted strings in PHP - (2010-02-09)
  [2238] Handling nasty characters - Perl, PHP, Python, Tcl, Lua - (2009-06-14)
  [2165] Making Regular Expressions easy to read and maintain - (2009-05-10)
  [2046] Finding variations on a surname - (2009-02-17)
  [1799] Regular Expressions in PHP - (2008-09-16)
  [1613] Regular expression for 6 digits OR 25 digits - (2008-04-16)
  [1603] Do not SHOUT and do not whisper - (2008-04-06)
  [1533] Short and sweet and sticky - PHP form input - (2008-02-06)
  [1372] A taster PHP expression ... - (2007-09-30)
  [1336] Ignore case in Regular Expression - (2007-09-08)
  [1195] Regular Express Primer - (2007-05-20)
  [1058] PHP Regular expression to extrtact link and text - (2007-01-31)
  [1008] Date conversion - PHP - (2006-12-26)
  [728] Looking ahead and behind in a Regular Expression - (2006-05-22)
  [716] Evaluating arithmetic expressions in configuration files - (2006-05-10)
  [642] How similar are two words - (2006-03-11)
  [608] Don't expose your regular expressions - (2006-02-15)
  [574] PHP - dividing a string up into pieces - (2006-01-23)
  [560] The fencepost problem - (2006-01-10)
  [558] Converting between acres and hectares - (2006-01-08)
  [493] Running a Perl script within a PHP page - (2005-11-12)
  [463] Splitting the difference - (2005-10-13)
  [422] PHP Magic Quotes - (2005-08-22)
  [337] the array returned by preg_match_all - (2005-06-06)
  [54] PHP and natural sorting - (2004-09-19)
  [31] Here documents - (2004-08-28)

H110 - PHP - HTML Web Page Data Handling
  [3926] Filtering PHP form inputs - three ways, but which should you use? - (2012-11-18)
  [3036] Sending out an email containing HTML from within a PHP page - (2010-11-07)
  [2135] What features does this visitors browser support? (PHP) - (2009-04-22)
  [2107] How to tweet automatically from a blog - (2009-03-28)
  [2025] Injection Attack if register_globals in on - PHP - (2009-02-04)
  [1831] Text formating for HTML, with PHP - (2008-10-11)
  [1169] Emailing as HTML (Web Page) - PHP example - (2007-04-30)
  [1136] Buffering output - why it is done and issues raised in Tcl, Perl, Python and PHP - (2007-04-06)
  [1053] Sorting people by name in PHP - (2007-01-26)
  [1001] .pdf files - upload via PHP, store in MySQL, retrieve - (2006-12-19)
  [896] PHP - good coding practise and sticky radio buttons - (2006-10-17)
  [789] Hot answers in PHP - (2006-07-02)
  [50] Current cost in your local currency - (2004-09-16)


Back to
Changing @INC - where Perl loads its modules
Previous and next
or
Horse's mouth home
Forward to
Danny and Donna are getting married
Some other Articles
Finding where the disc space has gone
NOT Gone phishing
Key facts - SQL and MySQL
Danny and Donna are getting married
Robust PHP user inputs
Changing @INC - where Perl loads its modules
Job vacancy - double agent wanted
Perl Regular Expressions - finding the position and length of the match
Looking for Python staff
Loosing breath with Gerald
4316 posts, page by page
Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87 at 50 posts per page


This is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.

Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2014: Well House Manor • 48 Spa Road • Melksham, Wiltshire • United Kingdom • SN12 7NY
PH: 01144 1225 708225 • FAX: 01144 1225 899360 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho

PAGE: http://www.wellho.net/mouth/589_Robu ... nputs.html • PAGE BUILT: Thu Sep 18 15:30:25 2014 • BUILD SYSTEM: WomanWithCat