ansaurus

Question

Safety precautions while doing html form processing using javascript, PHP, MySQL

Answer 1

+1 A:

To prevent SQL injection, you should use the language's escape function. For PHP, that's mysql_real_escape_string. Or, better yet, use PDO to restrict what users can put into the DB.

The HTML injection/XSS attack is different; you can store raw HTML in the database without issue, but before displaying any HTML originating with the user, call htmlspecialcharacters on it to prevent it from being interpreted by the client's web browser.

Do not code your own custom checks. You will miss something.

Borealid 2010-08-13 16:41:24

and there would be gain in performance if htmlspecialcharacters will be used once before inputing data into the database, rather than using it while output :)

Idlecool 2010-08-13 16:56:23

@idlecool but its not good design. You should not temper with data before you actually use actually it in a view.

Iznogood 2010-08-13 17:04:34

@Idlecool: Yes, but you don't know the context in which the data will be used. What if you wanted to parse the HTML users sent and use it somewhere without displaying it? Then you'd have to un-specialchars it.

Borealid 2010-08-13 17:04:37

oh! yes! i get it... so i have to use mysql_real_escape_string before inputing data while using htmlspecialcharacters after it. while i am reading about PDO too. :)

Idlecool 2010-08-13 17:11:04

Answer 2

A:

As for usename, this should do the job:

if (preg_match('/^[a-z\d_\-<>]{5,20}$/i', $username)) {
    echo "Your username is ok."; 
    // Note that you still have to do something with <>
    // Though, personally I'd advise sticking to /^[a-z\d_]{5,20}$/i
} else {
    echo "Wrong username format.";
}

Source

As for SQL injection, use mysql_real_escape_string or mysqli_real_escape_string on everything you enter into the DB

Robus 2010-08-13 16:43:54

ansaurus

tags:

views:

answers:

Safety precautions while doing html form processing using javascript, PHP, MySQL

related questions