checking queries for malicious user input...?

superwormy

Always keep hearing you should check all user input to make sure its not malicious code before you insert it into the database. Fine, thats all good.

But what exactly shoudl I be looking for? Are there some general things I shoiuld ALWAYS be doing to the data that gets inserted into the database to make sure people can't fvck with my database queries?

Elena_Mitovska

It is usually strongly recommended to check all data before isnerting into database, to avoid errors with special characters such as quotas, &,$ and etc. Such characters can make failure while running query or when outputting results from database.
I use such funtions for inserting and outputting results:

//---CharCheck(#)----

function CheckString($value){
if($value!=""){
$value=trim($value);
$value=ereg_replace("\"", "'", $value );
$value=htmlspecialchars($value);
return "'".trim(addslashes($value))."'";
}//if
else {
return 'NULL';
}
return;
}//function

//--- CheckCharOutput(#)---
function CheckCharOutput($string){

$string=ereg_replace("&QUOT;","'", $string );
return stripslashes($string);
}//function

Hope it will help 🙂

phplearner

I have a similar need but as a nOOb, am not sure if Elena's code checks for JS or other possible script hack entries into text fields.

Also, how could eliminate #,@, etc., etc. be accomplished? Except, of course, for a valid e-mail@somewhere.com address field entry.

Thanks.

Pig

striptags() will get rid of things like <script>

superwormy

Wow... this thread is almost a year old...

phplearner

Hi Pig & superwormy:

Yes...an old thread...I do try to search the Archives before posting 😃

Can you possibly show me an simple example of how to use striptags() if my text input field is, umh, 'test' ???

Also, can this be combined with Elena's code?

Thank you very much. I'm still trying to get the hang of 'functions' ... excactly how and where to use 'em :rolleyes:

tekky

Originally posted by phplearner
....Thank you very much. I'm still trying to get the hang of 'functions' ... excactly how and where to use 'em :rolleyes:

hehe

How: $var = function_name([function_arg1, function_arg2]) //args in [] because they arent required for all functions obviouslly

When to make a fuction...: simple, anytime you see yourself redundantly typing code... thats a good sign you should either a) have a function or b) use a loop 😉

[note: sometimes functions only output data and not return values... in those cases you could drop the '$var =' portion above...]

Pig

$string = "<b>text</b>";
echo( strip_tags($sting) );

produces: "text"

Just add another line to modify the var in that script.

phplearner

Hey...THANKS, folks. Very helpful info.🆒