php form validation with mysql
Hi all,
Is there any up to date information with regards validating and sanitising form data in PHP. The data will be stored in a mysql database.
I tend to use htmlentities and mysql_real_escape_string but have read various sites, some old, some new that suggest these methods are not entireley flawless and was wondering if there were better methods of checking user input data.
The types of data I would be looking at would require removing special characters from strings, verifying numeric input and reducing the risk of mysql injection.
I'm using php 5.3
Is there any up to date information with regards validating and sanitising form data in PHP. The data will be stored in a mysql database.
I tend to use htmlentities and mysql_real_escape_string but have read various sites, some old, some new that suggest these methods are not entireley flawless and was wondering if there were better methods of checking user input data.
The types of data I would be looking at would require removing special characters from strings, verifying numeric input and reducing the risk of mysql injection.
I'm using php 5.3
Ray Paseur
The mantra is "Accept only known good values." Regular expressions and the filter_var() functions are what the professionals would use.
I suggest to refer directly to php.net: http://php.net/manual/en/security.database.sql-injection.php
Here you find all useul informations. The security in php is hard, but php.net is the best source to refer to for updated info about his and other questions.
Cheers
Here you find all useul informations. The security in php is hard, but php.net is the best source to refer to for updated info about his and other questions.
Cheers
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thx for the posts, I'd been looking at the filter options but had also found sites like this;
http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php
Most of the articles I read today (been googling for over four hours) seem to contradict each other, on one hand there are the people who favour the builtin filter options then there are others which say the filter options are useless and to stick with htmlentities, mysql_real_excape_string et al. This I put down to programmer preference and the possibility that the filter options may have been new features (at the time the articles were published) and not that mature when it comes to options.
I'm more famialiar with the htmlentities etc functions and have dabbled in the regex/preg_replace nightmare for sanitising some string inputs but want to be sure I keep my knowledge as up to date as possible and learn as much as I can along the way.
I wasnt expecting a single answer to what is a quite large subject but I was hoping to find some more up to date articles with real world example code.
http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php
Most of the articles I read today (been googling for over four hours) seem to contradict each other, on one hand there are the people who favour the builtin filter options then there are others which say the filter options are useless and to stick with htmlentities, mysql_real_excape_string et al. This I put down to programmer preference and the possibility that the filter options may have been new features (at the time the articles were published) and not that mature when it comes to options.
I'm more famialiar with the htmlentities etc functions and have dabbled in the regex/preg_replace nightmare for sanitising some string inputs but want to be sure I keep my knowledge as up to date as possible and learn as much as I can along the way.
I wasnt expecting a single answer to what is a quite large subject but I was hoping to find some more up to date articles with real world example code.
ASKER
Thanks for the update Ray, you must be a quicker typist than me :-)
I'll check out the links and info you posted and get back to you tomorrow. I'll leave the Q open in the hope of getting more points of view.
Cheers All.
I'll check out the links and info you posted and get back to you tomorrow. I'll leave the Q open in the hope of getting more points of view.
Cheers All.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your views on what is a particularly large subject, it certainly reaffirmed some of my original thoughts and also gave me something else to think about.