0

I have three books on which being on PHP or PHP & MySQL one might reasonable expect to find some coverage of Data Sanitization, but I haven't had any luck. Is there a reliable resource online that covers the basics of cleaning your data up, both before putting it into a DB and before displaying it after pulling it from the DB?

aslum
  • 11,774
  • 16
  • 49
  • 70

3 Answers3

1

Well Stackoverflow is such a resource. Your question being asked twice a day.

I wrote a pretty decent answer on this topic earlier: In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?

Long story short: for dynamic mysql query creation you have four different escaping cases:

  • string data
  • int data
  • identifiers
  • operators

and notorious PDO covers only two of them.

for the HTML htmlspecialchars with ENT_QUOTES is quite enough.
However, there are a dosen other cases, like filename sanitization, mail injection and such

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
0

Chris Shifflet wrote a book on it called Essential PHP Security.

Rijk
  • 11,032
  • 3
  • 30
  • 45
0

Use PDO and binding or suitable escape string function for mysql to input data.

Use htmlspecialchars with ENT_QUOTES and the correct charset on data to display for output.

fire
  • 21,383
  • 17
  • 79
  • 114