sanitizing input with php

kwerk · 18 May 2013 at 15:01

What is the best way to clean form inputs with php, like for forum posts?

Is strip_tags and then mysql_real_escape_string enough? Do you trust the php functions?

UncleRuckus · 18 May 2013 at 15:37

You should use this to sanitise data.

http://php.net/manual/en/filter.filters.sanitize.php

If the data is going to a database use PDO to help prevent SQL injections.

http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

e: Saying that I haven't touched PHP for a while; there may now be a better way of doing this.

aln · 21 May 2013 at 16:51

It's interesting that the first filter from that list, the email, rejects valid email addresses. It's stuff like that which gets PHP a bad rep.

Also using PDO doesn't help prevent SQL injections but using prepared statements, which PDO makes available to you, does. I'm behind PDO usage, for sure, but you can still use it wrong.

Write a validation class / functions, use regex, better yet, use a framework and follow the guidelines.

UncleRuckus · 21 May 2013 at 20:17

aln said:
It's interesting that the first filter from that list, the email, rejects valid email addresses. It's stuff like that which gets PHP a bad rep.

Also using PDO doesn't help prevent SQL injections but using prepared statements, which PDO makes available to you, does. I'm behind PDO usage, for sure, but you can still use it wrong.

Write a validation class / functions, use regex, better yet, use a framework and follow the guidelines.

Ah yes, I should have explicitly said use the prepared statements within PDO!

Hahah are you serious about the email filter? I felt that since learning C#, php gives people bad habits and the names of built in functions were terrible, but I didn't realise that they were buggy too!

sanitizing input with php

More options

kwerk

kwerk

Wise Guy

UncleRuckus

UncleRuckus

aln

aln

UncleRuckus

UncleRuckus