tags:

views:

68

answers:

3
Q: 

filtering user input in php

hello guys,

Am wondering if the combination of trim(), strip_tags() and addslashes() is enough to filter values of variables from $_GET and $_POST

+1  A: 

Short answer: no.

Long answer: it depends.

Basically you can't say that a certain amount of filtering is or isn't sufficient without considering what you want to do with it. For example, the above will allow through "javascript:dostuff();", which might be OK or it might not if you happen to use one of those GET or POST values in the href attribute of a link.

Likewise you might have a rich text area where users can edit so stripping tags out of that doesn't exactly make sense.

I guess what I'm trying to say is that there is simple set of steps to sanitizing your data such that you can cross it off and say "done". You always have to consider what that data is doing.

cletus  2009-12-09 03:36:37
+1  A: 

It highly depends where you are going to use it for.

  • If you are going to display things as HTML, make absolutely sure you are properly specifying the encoding (e.g.: UTF-8). As long as you strip all tags, you should be fine.
  • For use in SQL queries, addslashes is not enough! If you use the mysqli library for example, you want to look at mysql::real_escape_string. For other DB libraries, use the designated escape function!
  • If you are going to use the string in javascript, addslashes will not be enough.
  • If you are paranoid about browser bugs, check out the OWASP Reform library
  • If you use the data in another context than HTML, other escaping techniques apply.
Evert  2009-12-09 03:37:51
+1  A: 

That depends what kind of validation you are wanting to perform.

Here are some basic examples:

  • If the data is going to be used in MySQL queries make sure to use mysql_real_escape_query() on the data instead of addslashes().
  • If it contains file paths be sure to remove the "../" parts and block access to sensitive filename.
  • If you are going to display the data on a web page, make sure to use htmlspecialchars() on it.

But the most important validation is only accepting the values you are expecting, in other words: only allow numeric values when you are expecting numbers, etc.

EarthMind  2009-12-09 03:39:50

related questions

Implementing filters for a SQL table display on a view in ASP.NET MVC (C#) and LINQ-to-SQL?
Best method for pre and post processing multilingual user input for a php/mysql CMS
Filtering data in R
Filtering away nearby points from a list
BindingSource Filter by date
Divide the content of a text document into categories, and view a partial text
What is the best way to remove duplicates in an Array in Java?
Can Dataset filtering be done from outside the dataset?
General Purpose Filter As You Type (aka typeahead, Incremental find, autocomplete) is it out there?
SQL if statement in where clause for searching database
i need a C# library about strict HTML validation and filtering
Best UI for Search/Filter/Boolean expression
Efficient Filtering / Searching
Escaping double quotes in a value for a sticky form in PHP
How do you implement a good profanity filter?
How can I remove and transform selective HTML tags?
Can I do band filtering easily with DirectSound? If not, how can I do it?
MDX: Calculated Dimensions?
Using Lucene to count results in categories
Database Duplicate Value Issue ( Filtering Based on Previous Value)
Fastest Gaussian blur implementation
Good references / tips for designing rule systems?
Unfiltering NSPasteboard
Getting Apache to modify static webpages on the fly
Filtering collections in C#