PHP input security question

JonD

JonD

JonD

Associate
Joined
26 Jun 2003
Posts
1,140
Location
North West
Im running user input through the following function before its inputted into the database and then outputting it back into the textarea for editing:

Code: 
function formatStringInput($string)
{
	
	// Trim whitespace
	$string = trim($string);
	
	// Escape naughty characters
	$string = mysql_real_escape_string($string);
	
	// Return string
	return $string;

}

function formatStringOutputOntoForm($string)
{

	// Strip slashes
	$string = stripslashes($string);
	
	// Return string
	return $string;

}

However if I enter this onto the form:

Code: 
<?php echo $test; ?>

The input is accepted.

If this is outputted onto a webpage sumwhere, then nothing is printed. However it does print onto the source (view->source).

Is there any way I can stop someone trying to enter php code?

Or is there additional checks I need to make on the input?

Thx
jd
 
Last edited:
Use htmlentities on input or output?

So which functions (and the right order) are needed on inputting stuff to a database, displaying it to edit and displaying it on a webpage?

yes i have a mysql connection open
 
Last edited:
Ok I trying to enter this string:

Hello "JonD". It's such a nice day today!

New line!

<?php echo $test; ?>
Click to expand...

This sumbits fine and is entered back onto the textarea as:

Hello \"JonD\". It\'s such a nice day today!<br />
<br />
New line!<br />
<br />
<?php echo $test; ?>
Click to expand...

In the database it is stored like this:

Hello \"JonD\". It\'s such a nice day today!

New line!

<?php echo $test; ?>
Click to expand...

This is not what I want. This edit form should not be showing any slashes and the <br /> should not be visable.

Here are the functions:

Code: 
function formatStringInput($string)
{	
	// Escape naughty characters
	$string = mysql_real_escape_string($string);
	
	// Return string
	return $string;
}

function formatStringOutputOntoForm($string)
{
	// Strip html type tags
	$string = htmlentities($string);
	
	// new line to breaks
	$string = nl2br($string);

	// Return string
	return $string;
}

Thx
jd
 
Last edited:
Ok seems to be working fine.

So should the datebase be storing '<' as '<' or '&lt' etc?

if the latter then I need to run htmlentities on input too?
 
You must log in or register to reply here.
Back
Top Bottom