iDeej
asked on
Best PHP security technique for when working with forms.
I learning about PHP security and in the book PHP 5 advanced by Larry Ullman It says to lookout for and replace '\n' and '\r'.
Below is how I have gone about this. Is this the best way to go? Is it needed? Is there a better way.
I ask because I have a few PHP books and none of them seem to do anything like this.
Thanks,
Daniel.
Below is how I have gone about this. Is this the best way to go? Is it needed? Is there a better way.
I ask because I have a few PHP books and none of them seem to do anything like this.
Thanks,
Daniel.
// Check that the conSubject field is less than 100 characters
// Check that the conSubject field does not contain '\n' or '\r'
$pos = strpos($conSubject, '\n');
$pos = !$pos ? strpos($conSubject, '\r') : $pos;
if (strlen($conSubject) > 100 || !($pos === false)) {
$errors[] = 'The name field must be 100 characters or less and must consist of letters or spaces only';
}
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok so wrapping this up, Larry in his book says to take out or replace \r and \n with emails.
Could you please tell me what problems \r and \n could cause?
And instead of the lengthy code I used above could I just use mysql_real_escape_string to render \r ineffective?
Could you please tell me what problems \r and \n could cause?
And instead of the lengthy code I used above could I just use mysql_real_escape_string to render \r ineffective?
ASKER
Some great information by the way. Very much appreciated!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you kindly. Very helpful.
* what values are useful to my script (for instance, no point allowing newlines in a "username" or "phone number" field);
* what am I going to do with the user-supplied data (dump it into an HTML page / store it in a MySQL database, etc).
If you're going to dump user-supplied data into an HTML page, you must use htmlspecialchars (and make sure to use the ENT_QUOTES flag) to avoid any embedded markup or scripting in the user-supplied data being treated as part of your page.
If you're going to store user-supplied data into a MySQL database, see the real_escape_string function:
http://php.net/manual/en/function.mysql-real-escape-string.php
which escapes quotes and backslashes so that user-supplied data cannot inject SQL statements into your database queries.