All geek questions in one place

Should I sanitize EVERY form variable?

I have a form with many fields ...

The action is set to the php page that requests mysql ...

Should I sanitize with mysql_real_escape_string every single variable? Or can I ignore the disinfection of lists and radio stations, for example?

In addition to mysql_real_escape_string , what else needs to be done to prevent attacks?

thanks

+4
source share
6 answers

You should also check the samples and radio buttons. Anyone can create their own HTML form and submit it to your script. Added the ability to convert selected to text inputs in the toolbar of the Firefox web developer.

You can also verify that the published data contains only the correct values. For example, if you have a switch, make sure that the published form contains only one of the valid values.

Of course, you should run mysql_real_escape_string only for the variables that you are going to put in MySQL. If you save the file using the command line or something else, there are more suitable functions and solutions.

+5
source

In the general case, it is trivial to formulate a POST request outside the browser and thus bypass any restrictions that a drop-down list (for example) may impose on possible values.

Because of this, you should always treat user data as hostile and error prone, as well as check and protect the server side as soon as possible.

+2
source

Another group of ignorant answers. Kamran, you attract him like a magnet.

You should understand that mysql_real_escape_string has nothing to do with forms and radio stations, with verification and disinfection.
And this does not prevent attacks.

This is just a string escaping function. It avoids the data that will be inserted into the SQL query string as string data.

SQL query is a small program. With its own syntax. You should follow this syntax, not because of “attacks”, but because of this, just the syntax. And, of course, these rules are independent of the data source! Radio button, html form or browser - all this does not matter!

And it only works with strings. Not with numbers and identifiers.

Here is my answer on how to process the SQL query: In PHP, when sending rows to the database should you take care of invalid characters using htmlspecialchars () or use a regular expression?

+2
source

You need to use mysql_real_escape_string to avoid strings before using them in SQL statements to prevent SQL Injection attacks.

In addition, when you take data from your database and write it as HTML, you must use htmlspecialchars or strip_tags to prevent cross-site scripting attacks.

+1
source

Any variable sent from the client cannot be considered safe and valid. If you use them in a request, you should always sanitize them.

+1
source

You only need to clear the fields that you do not want the attacker to be captured. Data can be generated from any source, not just your page. mysql_real_escape_string is good for any value that will be concatenated in the request, but I will "sanitize" everything. For me, “disinfection” means more than processing injections, it includes any field check (bottle length, numerical, actual date, empty, etc.).

0
source

Source: https://habr.com/ru/post/1312325/

More articles:


All Articles