[thelist] $_POST string

Hugh Miller hmiller at cfpress.co.uk
Thu Jun 3 06:54:14 CDT 2010 

I've developed a CMS system where all form items are generated from a 
database using a datatype id.

This allows me to have a simple one for all form processor that reads 
the preset datatype for each $_POST[field] and validates the data 
accordingly, so integers fields can be confirmed as such, email 
addresses and web addresses ran through regular expressions and so on 
without the need to continually look at forms and write a processor for 
each. I think we have about 40 unique datatypes to validate through 
including telephone, postal code, date formats and even a long string of 
pipe encapsulated data that is used as an audit trail.

Seems to work quite well for what we do, and we add around 12000 rows of 
database records per week.

On 03/06/2010 12:44, Matthew Pulis wrote:
> obviously it is very good practice that you do not use client supplied
> variables straight in your script / database!!
>
> never insert into the database some data supplied by the client without
> cleaning it / escaping it! else you are really risking big time!
>
> if u want to be paranoid you can also encode the $_POST
>
>
>
> Matthew Pulis BSc. (Business and Computing) MSc. (Informatics)
> web:   www.matthewpulis.info
> mob:   +44 7866535953  / +356 79539404
>
>
> On Thu, Jun 3, 2010 at 12:20 PM, Daniel Burke<dan.p.burke at gmail.com>  wrote:
>
>    
>> As $_POST data is supplied by the client you can not prevent trickery.
>>
>> On 3 Jun 2010 07:05, "Bob Meetin"<bobm at dottedi.biz>  wrote:
>>      
>>> I am developing some php forms that require numerous arguments in the
>>> $_POST string. This works fine. Is there anything that can be
>>> reasonably done to not make all the ooohs and ahhhs display in the URL
>>> address bar which might appear tempting to some viewers?
>>>
>>> Or perhaps better, what is a standard way to bullet-proof $_POST
>>> variables to prevent trickery?
>>>
>>> -Bob
>>> --
>>>
>>> * * Please support the community that supports you. * *
>>> http://evolt.org/help_support_evolt/
>>>
>>> For unsubscribe and other options, including the Tip Harvester
>>> and archives of thelist go to: http://lists.evolt.org
>>> Workers of the Web, evolt !
>>>        
>> --
>>
>> * * Please support the community that supports you.  * *
>> http://evolt.org/help_support_evolt/
>>
>> For unsubscribe and other options, including the Tip Harvester
>> and archives of thelist go to: http://lists.evolt.org
>> Workers of the Web, evolt !
>>
>>      


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the thelist mailing list