questions about php filters and forms

channark

hello
theris some questions i have about filters that i found a lesson about it in w3cschools,

1- does filter sanitize and validate replace spliteslashes and mysql_real_escape_string or i should use all of them for more security ?

2- when i try to practice i use options min_range & max_range in VALIDATE_INT it doesn't works also for sanitize when i put a url or email and i put a special caracters into it doesn't sanitized

code filter treatment

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>titre</title>
</head>

<body>
<?php
$url = "http://www.gôooglée.com/";

if ($url=filter_var($url, FILTER_SANITIZE_URL))
{
	echo "<p>URL IS sanitized now $url</p>";

if ($url = filter_var($url, FILTER_VALIDATE_URL))
{
	echo "<p>URL est valide $url</p>";	
}
else{
	echo "URL is not valid $url";
}
}


$filters = array(
			'prenom'=>array
			(
			'filter'=>FILTER_SANITIZE_STRING,
			),
			'age'=>array
			(
			'filter'=>FILTER_VALIDATE_INT,
			'option'=>array(
				"min_range"=>10,
				"max_range"=>60,
				)
			),
			'mail'=>array(
			'filter'=>FILTER_VALIDATE_EMAIL
			)
);

if (filter_has_var(INPUT_GET, 'mail') && filter_has_var(INPUT_GET, 'age') && filter_has_var(INPUT_GET, 'prenom'))
{
	$validation = filter_input_array(INPUT_GET, $filters);

if (!$validation['prenom'])
{
	echo "<p>prenom is not valid</p>";
}
elseif (!$validation['age'])
{
	echo"<p>age is not valid it could be not betweene 10 - 60 or the input is not integer</p>";
}
elseif(!$validation['mail'])
{
	echo "<p>email is not valid</p>";
}
else{
	echo "<p>All inputs are valide</p>";
}
}
?>
</body>
</html>

code page of link

<body>
<a href="test.filter.php?prenom=OR-&age=70&mail=golg@nice.com">test filtr</a>
</body>

3- what is the best way used in forms because i found lot of examples and lot of ways, can some one give a simple php secure code (i use md5, splitslashes, real_escape_strings in my forms)

thank you

bradgrafelman

channark wrote:
1- does filter sanitize and validate replace spliteslashes and mysql_real_escape_string or i should use all of them for more security ?

There is no built-in PHP function called 'spliteslashes' so I have no idea what that function might do.

As for replacing mysql_real_escape_string(), that would highly depend upon how you're using the filter extension with your strings. The answer is most likely no, there is no one-size-fits-all replacement for properly sanitizing data.

channark wrote:
when i try to practice i use options min_range & max_range in VALIDATE_INT it doesn't works

That's because you used 'option' as the array index when it should instead be 'options'.

channark wrote:
for sanitize when i put a url or email and i put a special caracters into it doesn't sanitized

Works fine for me:

echo "http://www.gôooglée.com/ => " . filter_var("http://www.gôooglée.com/", FILTER_SANITIZE_URL);
// output: http://www.gôooglée.com/ => http://www.google.com/

echo "brad@gôooglée.com => " . filter_var("brad@gôooglée.com", FILTER_SANITIZE_EMAIL);
// output: brad@gôooglée.com => brad@google.com

channark wrote:
3- what is the best way used in forms because i found lot of examples and lot of ways, can some one give a simple php secure code

I don't know that there is a single "best" way for every form out there. You have to know what type of data you're expecting and how to validate/sanitize it. If there was an easy, one-size-fits-all solution then things like SQL injection attacks wouldn't exist.

channark wrote:
i use md5...

...which is quite broken by now (heck, even SHA-1 ain't as strong as it used to be either). Hopefully you use a salt as well? Perhaps even one that is unique for each user?

channark wrote:
...splitslashes...

Perhaps this is a variation on the function you referred to in the beginning of your post? Still, "splitslashes" isn't a built-in PHP function so that doesn't really tell us anything.

channark wrote:
...real_escape_strings

Again, no such function. Perhaps you meant mysql_real_escape_string()? If so, note that it's only useful for sanitizing strings (hence the '_string' in the very name of the function) and not for numeric data.

NogDog

http://www.webdeveloper.com/forum/showthread.php?t=247495#2