|
| Frames | Modems | Help | Home Page | Chipsets | Search | No Frames |
|
|
| Diary Entries | See also Site Info & Diary. | |
| 14 December 2001 | Security with PHP when receiving user input... | |
| (See also PHP LV. MySQL Functions - mysql_escape_string()) I'm creating lots of Form text boxes which submit text which is then used as part of a MySQL query. I'm training myself to escape all this text: $txt=mysql_escape_string($txt);(where $txt is the text received from a Form.) Apart from preventing accidental mistakes, the reason is to prevent malicious entry. Consider, as an example, someone entering the following: ..some text. "'drop table xyz'(I don't actually know if the above would work, but you get the point.) I've also been using the following, which converts certain characters used in Windows to HTML entities: function hEnt($str) {
$srch=array("\"","'"," & ","®","©","‘","’");
$repl=array(""","’"," & ","®","©",
"‘","’");
return str_replace($srch,$repl,$str);
}
There is a htmlentities() and a htmlspecialchars() function (you'll find them & str_replace under the String functions in the manual) but these also convert < & > to < & >, which prevents the use of italics etc, so I rolled my own.The reason for the above, BTW, is because Internet Explorer translates entities within default strings for text & textArea boxes into the characters, and then sends those characters (and not the original entity-text) when the form is submitted. A real pain. |
||