Menu
Community /Pin to ProfileBookmark
@NogDogJun 11.2011 — #They're really three separate issues/solutions.
stripslashes() should only be needed if your PHP configuration has the now-deprecated magic_quotes_gpc option enabled. You only need or want to apply stripslashes() in that case.
SQL escaping (such as with mysql_real_escape_string()) is only for data being used in a database query, specifically to avoid the SQL parser of the DBMS being used from treating certain special characters as having a special meaning in SQL.
The filter functions are mainly for checking/forcing data inputs to ensure they are of the correct type.
Typically, you might first run your inputs through afunction to take care of magic_quotes , if they are turned on. Then you might run form inputs through various filter functions to check for invalid inputs. [i]Then[/i] any inputs that are used within a DB query should be escaped as appropriate for the DBMS being used.
questions about php filters and forms
hello
theris some questions i have about filters that i found a lesson about it in w3cschools,
1- does filter sanitize and validate replace spliteslashes and mysql_real_escape_string or i should use all of them for more security ?
2- when i try to practice i use options min_range & max_range in VALIDATE_INT it doesn’t works also for sanitize when i put a url or email and i put a special caracters into it doesn’t sanitized
code filter treatment
[CODE]
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″ />
<title>titre</title>
</head>
<body>
<?php
$url = “http://www.gôooglée.com/”;
if ($url=filter_var($url, FILTER_SANITIZE_URL))
{
echo “<p>URL IS sanitized now $url</p>”;
if ($url = filter_var($url, FILTER_VALIDATE_URL))
{
echo “<p>URL est valide $url</p>”;
}
else{
echo “URL is not valid $url”;
}
}
$filters = array(
‘prenom’=>array
(
‘filter’=>FILTER_SANITIZE_STRING,
),
‘age’=>array
(
‘filter’=>FILTER_VALIDATE_INT,
‘option’=>array(
“min_range”=>10,
“max_range”=>60,
)
),
‘mail’=>array(
‘filter’=>FILTER_VALIDATE_EMAIL
)
);
if (filter_has_var(INPUT_GET, ‘mail’) && filter_has_var(INPUT_GET, ‘age’) && filter_has_var(INPUT_GET, ‘prenom’))
{
$validation = filter_input_array(INPUT_GET, $filters);
if (!$validation[‘prenom’])
{
echo “<p>prenom is not valid</p>”;
}
elseif (!$validation[‘age’])
{
echo”<p>age is not valid it could be not betweene 10 – 60 or the input is not integer</p>”;
}
elseif(!$validation[‘mail’])
{
echo “<p>email is not valid</p>”;
}
else{
echo “<p>All inputs are valide</p>”;
}
}
?>
</body>
</html>
code page of link
[CODE]
<body>
<a href=”test.filter.php?prenom=OR-&age=70&[email protected]”>test filtr</a>
</body>
3- what is the best way used in forms because i found lot of examples and lot of ways, can some one give a simple php secure code (i use md5, splitslashes, real_escape_strings in my forms)
thank you
Sign in
to post a comment1 Comments(s) ↴
0
@NogDogJun 11.2011 — #They're really three separate issues/solutions.stripslashes() should only be needed if your PHP configuration has the now-deprecated magic_quotes_gpc option enabled. You only need or want to apply stripslashes() in that case.
SQL escaping (such as with mysql_real_escape_string()) is only for data being used in a database query, specifically to avoid the SQL parser of the DBMS being used from treating certain special characters as having a special meaning in SQL.
The filter functions are mainly for checking/forcing data inputs to ensure they are of the correct type.
Typically, you might first run your inputs through a