Results 1 to 5 of 5

Thread: Best way to secure $_GET & $_POST

  1. #1
    Join Date
    May 2012

    Best way to secure $_GET & $_POST

    Me again.

    What is the most effective way to secure such data?

    I made this, it seems to work, but i dont feel its secure.

    PHP Code:
    function Secure($str){
    $arr str_split($str,1);
    $sec '';
        foreach (
    $arr as $a){
            if (
    $a >= 'a'  &&  $a <= 'z' $sec $sec $a;        
            elseif (
    $a >= 'A'  &&  $a <= 'Z' $sec $sec $a; }
    $sec; } 
    Any data i receive should only ever contain letters.

    Is this secure?
    Could it be better?


  2. #2
    Join Date
    Jul 2003
    The City of Roses
    Well... first, the function's name -- "Secure" -- is much too ambiguous. There are various kinds of security. When you use a value in HTML, you secure it with htmlspecialchars. When you use a value in SQL, you secure it with prepared statements or mysql_real_escape_string. What you're trying to do looks to me like form validation, and if part of that validation requires that a value contain only alphabetic characters, then you can use the ctype_alpha function.
    Last edited by Jeff Mott; 05-24-2012 at 11:22 PM.

  3. #3
    Join Date
    May 2012
    When it comes to security, it's rarely a good idea to "re-invent the wheel". PHP has some pretty good filtering functions. I would definitely check them out as they will be more secure than your custom functions.

  4. #4
    Join Date
    Aug 2004
    If your aim in this case is to remove all non-alpha characters:
    PHP Code:
    return preg_replace('/[^a-zA-Z]/'''$str); 
    However, in most cases it's better to simply validate that the field contains the correct type of data and if not return an error to the user, rather than assume you know what they meant to type in and silently change it without the user being given a chance to correct it (see the aforementioned ctype_alpha() in this case).
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  5. #5
    Join Date
    May 2012
    Ok, you "shouldn't" do this, since you shouldn't ever change the original raw data and you "should" store the raw data in the database as well.

    That asside... i would rather use a "whitelist" instead of a "blacklist".

    If you escape the data when you need to, you can often forget! However, if you have to unescape the data instead when you need to (rarely), the errors of not doing so when you forget are usually much much less! This is why i tend to:

    1. Iterate over the $_POST, $_GET, $_REQUEST, $_COOKIE, etc super globals (remember some may be multi dimention arrays if the forms name='dsdsa[]')
    2. Run htmlentities(..., ENT_QUOTES) followed by mysql_real_escape_string(). Make sure mysql escaping is AFTER htmlentities else you will suffer from double slashes!
    3. The data can now be safely shown on site OR used in the database! No need to remember to escape anything, instead, you just need to unescape it (reverse the order) on the few occassions that you need to (such as using variables in URLs). Also, data can instantly be shown from the database without needing to escape it first (because htmlentities was already run on it) to prevent attacks such as XSS.

    Hope that helps.

    Kind regards,

    P.S. If showing the data in URL's onsite you will need to unescape it, then use rawurlencode() instead.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
HTML5 Development Center