0

I have three books on which being on PHP or PHP & MySQL one might reasonable expect to find some coverage of Data Sanitization, but I haven't had any luck. Is there a reliable resource online that covers the basics of cleaning your data up, both before putting it into a DB and before displaying it after pulling it from the DB?

aslum
  • 11,271
  • 15
  • 46
  • 68

3 Answers3

1

Well Stackoverflow is such a resource. Your question being asked twice a day.

I wrote a pretty decent answer on this topic earlier: In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?

Long story short: for dynamic mysql query creation you have four different escaping cases:

  • string data
  • int data
  • identifiers
  • operators

and notorious PDO covers only two of them.

for the HTML htmlspecialchars with ENT_QUOTES is quite enough.
However, there are a dosen other cases, like filename sanitization, mail injection and such

Community
  • 1
  • 1
Your Common Sense
  • 154,967
  • 38
  • 205
  • 325
0

Chris Shifflet wrote a book on it called Essential PHP Security.

Rijk
  • 10,704
  • 3
  • 28
  • 44
0

Use PDO and binding or suitable escape string function for mysql to input data.

Use htmlspecialchars with ENT_QUOTES and the correct charset on data to display for output.

fire
  • 20,975
  • 17
  • 77
  • 110