0

Possible Duplicate:
Best way to defend against mysql injection and cross site scripting
Validating user input?

I know that for mysql I can use > mysql_real_escape_string but what can I use for php server side to maximally secure it from hacking ? Is there any ultimate way to do it ? If not please write all possible ways to minimize threat of hacking the site.

Community
  • 1
  • 1
David
  • 4,332
  • 13
  • 54
  • 93
  • google it and search similar questions here – xkeshav Oct 07 '11 at 12:57
  • `Security issues` which issues: A: SQL-injection, B: XSS C: something other called........... – Johan Oct 07 '11 at 12:59
  • there are many different ways, and I want to gether them together in one function or class maybe. That's why I'm asking – David Oct 07 '11 at 12:59
  • The variables $_GET and $_POST are not unsafe in any way; the real threat comes from the way you use them. For each method (sql, eval, echo) there is a separate way. So general rules are: sanitize your inputs before you use them and do not trust anyone. – Lyth Oct 07 '11 at 13:00
  • I am impressed that this question now has four votes to close, each with a different reason. – JJJ Oct 07 '11 at 13:03

1 Answers1

4

Best way? Sanitize it when you need it

Often times I see things like

Bad code 

foreach ($_GET as $k => $v){
  $_GET[$k] = MyUberSanitizeFunction($v);
}

But that works very few times, and is very much type specific (i.e. in one instance an ID may only want to be numbers, but not every value should be stripped of non-numerics).

Worry about cleansing the information when you need it. If you're going to use it multiple times, cleanse it in to a stored variable, then work with it. But don't worry about "mass sanitizing" on every query request.

Johan
  • 74,508
  • 24
  • 191
  • 319
Brad Christie
  • 100,477
  • 16
  • 156
  • 200