Data Handling Musts for each tag
What methods are musts for handling PHP Data?
For example stripslashes($_POST['data']) is one, and I don't know too much bout others. I'd like other people's opinions.
There is a function that adds slashes to data entered into the database from a form to prevent an error when trying to enter data.
stripslashes() should only be needed if you have the deprecated magic_quotes_gpc "feature" enabled and you want to undo its damage. I use this method to deal with it if I'm unable to control whether it is on or off: http://www.charles-reace.com/blog/20...-magic-quotes/.
Next step should be to validate that user-supplied inputs are valid (type, size, etc.) -- the sort of thing where if it's invalid you display an error message and have them re-enter it. At this point you may want to look at the filter_var() function, along with things like strlen() and the various ctype_*() functions.
Sanitizing values for use in DB queries (e.g. mysql_real_escape_string()) is a separate issue, and normally should only be applied to the data in that specific instance, not globally such that the escaping would affect use of the data in non SQL situations.
Similarly, filtering data for output with functions such as htmlentities() should normally only be done as/when it is being output to the browser (or whatever else needs to be filtered).
So long story short: there's nothing "standard" I do for all user inputs, but rather it is based on the type of data and the situation.
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
How to Ask Questions the Smart Way
(not affiliated with this site, but well worth reading)
Thanks, that gives a good view point.
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread