Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.
Course Of The Month
11 days, 15 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
best way to sanitize user input for PDO queries
Posted on 2014-03-07
Hi,
im curious what is the best way to sanitize user inputs when running PDO sql queries
im used to using mysqli procedural style where i just escaped all my variables and used only self created variables. any advice is greatly appreciated
im curious what is the best way to sanitize user inputs when running PDO sql queries
im used to using mysqli procedural style where i just escaped all my variables and used only self created variables. any advice is greatly appreciated
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
3-
3
2
8 Comments
You don't need to sanitize anything on insert.
Maybe someone adds some HTML etc to their input and you want to remove it then you could use regex to remove it.
preg_replace('/<[^>]*>/', '', $input)
But only if it shouldn't be there.
You could just leave everything as is and then escape anything untoward when you send it to the browser.
Maybe someone adds some HTML etc to their input and you want to remove it then you could use regex to remove it.
preg_replace('/<[^>]*>/', '', $input)
But only if it shouldn't be there.
You could just leave everything as is and then escape anything untoward when you send it to the browser.
I actually like having the ' " if the user would like to write i'll so id i do not have to user regex im liking the new technology. however as i was aware of the security vulnerabilities with mysqli im not with pdo so im trying to do some research
when i sent the variables to the prepared statement in the SQL server i dont need to clean them? and if so how would i go about it
for example could i just send $_POST['user_input']
when i sent the variables to the prepared statement in the SQL server i dont need to clean them? and if so how would i go about it
for example could i just send $_POST['user_input']
Not sure what you mean I actually like having the ' " if the user...
It doesn't remove apostrophes etc if that's what you mean, for example say someone entered this for a name input
<b>John</b>
The regex above would remove the BOLD tags (or any html tags) so you would end up inserting into the db just
John
The basic premise is
It doesn't remove apostrophes etc if that's what you mean, for example say someone entered this for a name input
<b>John</b>
The regex above would remove the BOLD tags (or any html tags) so you would end up inserting into the db just
John
The basic premise is
$stmt = $conn->prepare('insert into mytable (mycol) values (:myval)');
$stmt->execute(array( ':myval' => $_POST['user_input'] ));
All external data is by definition tainted. Start with that premise, then begin to deconstruct it into things that are appropriate for your applications.
Do you expect a number in a request variable? Check to see if it is a number. Are you looking for a person's name? See if it has a reasonable length and a reasonable character set Do you expect a ZIP code? It needs to be five integers or nine integers, but some people will write 22101-3104 so a reasonable test might be to eliminate the non-integer characters then test the length for five or nine. Do you expect a USA telephone number? Make sure the second digit it not 9. Etc. Are you looking for input from a human instead of a 'bot? Check the CAPTCHA.
There is no one formula for everything, just common sense. Dealing with quote marks like in the name O'Brien is just the very tip of the iceberg.
Do you expect a number in a request variable? Check to see if it is a number. Are you looking for a person's name? See if it has a reasonable length and a reasonable character set Do you expect a ZIP code? It needs to be five integers or nine integers, but some people will write 22101-3104 so a reasonable test might be to eliminate the non-integer characters then test the length for five or nine. Do you expect a USA telephone number? Make sure the second digit it not 9. Etc. Are you looking for input from a human instead of a 'bot? Check the CAPTCHA.
There is no one formula for everything, just common sense. Dealing with quote marks like in the name O'Brien is just the very tip of the iceberg.
I GOTCHA !!!
i dont have to do anything special other than testing the data is what i want as the statement is already send im just filling in the blanks
is this correct?
i dont have to do anything special other than testing the data is what i want as the statement is already send im just filling in the blanks
is this correct?
Sidebar note about HTML when it's not expected... PHP has a function for that.
http://php.net/manual/en/function.strip-tags.php
But what would you have the script do if it detected that someone was putting in malicious JavaScript? Would you store it or reject it? When you echo any text to the browser, you really, really want to use htmlentities() or similar. Some further good reading on this sort of thing is available here:
http://php.net/manual/en/security.php
http://php.net/manual/en/function.strip-tags.php
But what would you have the script do if it detected that someone was putting in malicious JavaScript? Would you store it or reject it? When you echo any text to the browser, you really, really want to use htmlentities() or similar. Some further good reading on this sort of thing is available here:
http://php.net/manual/en/security.php
Featured Post
We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
Originally, this post was published on Monitis Blog, you can check it
here
.
In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing.
Set up your basic HTML file. Open your form tag and set the method and action attributes.:
(CODE)
Set up your first few inputs one for the name and …
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month11 days, 15 hours left to enroll
623 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.