Posted by Curt Zirzow on 12/05/05 23:44

On Mon, Dec 05, 2005 at 02:00:13PM -0500, Michael B Allen wrote:
> I want to validate a string for storage into a database so that it cannot
> contain any content that might be interpreted as SQL, Javascript, PHP,
> etc. Is there a standard function or technique to perform this validation?

Trying to validate input so it is valid in what ever context it may
be used in is probably the wrong mindset. You should think in the
terms of ensure this string wont cause any problems in the medium
you are outputing it to. For Example.

You have a string that is being passed in from a html input field
such as:
$_GET['string'] = "O'rielly <script>...</script> <?php echo 'foo';?>"


So the question is where are you planning on putting this?
1) A DB?
you will need to escape the string so it wont cause any
problems with the output to mysql:

$string = mysql_real_escape_string($_GET['string']);

2) The browser?
you will need to escape the string so it wont cause any
problems with the output to html:

$string = htmlentities($_GET['string']);

3) For some reason want to eval() it?
you will need to escape the string so it wont cause any
problems with the output to php:

// assuming short tags, asp tags etc are disabled...
// remove <?php and ?>
$string = preg_replace('/(\<\?php|\?\>/', '', $_GET['string']);

So it comes down to the fact that the standard technique is to
ensure that the data you are sending, to what ever medium, is
properly escaped.

The same output escaping should be considered no matter the input
of the data ie: database, rss feed, flat file ...

Curt.
--
cat .signature: No such file or directory

[Back to original message]