[thelist] Keeping PHP forms secure
Sales @ Lycosa
sales at lycosa.co.uk
Tue Aug 7 07:12:24 CDT 2007
> Regular expressions? Does PHP really lack a parameterized SQL execute
function?!
What exactly do you mean by parameterized SQL execute function? Could you
give me an example?
Although this thread was primarily about sql queries, it is important to
sanitize all input, regardless of what it will be used for. Regular
expressions can be used to remove harmful characters, or simply to constrain
the user to a particular set of available characters. If your input only
requires a-zA-Z0-9, as in a login page, why should you allow the visitor to
enter any other characters? If these characters are removed at the start of
the script, there is less potential damage later on, whether it be for sql
query or output to browser, file or whatever. It is better to consider the
input requirements, and force the user to enter only valid characters.
Anything other than correct input data is either a user error, or malicious.
Phil
More information about the thelist
mailing list