View Full Version : The safest way to block harmful code in strings.
01-16-2008, 12:59 AM
01-16-2008, 03:30 AM
That depends. What will the input be? A zip code? A name? Phone number? Email address? Telephone number? Date? Time? Letter? Number? Paragraph?
Read this full topic, not just the first two or three quick and dirty solutions... it may help:
01-17-2008, 02:09 AM
A profile code. Just simple coding and stuff about the user.
01-17-2008, 02:15 AM
He means each field. You need to ensure error checking is present on ANY input given by the user (I didn't read the link at all, but I can guess).
1. Control your own addslashes / escaping. Disable magic_quotes_gpc runtime
2. Datatype checks. Want a number? Typecast the given input into an (int) and check to see if the new value is == the original (not === as that will check datatypes as well).
3. Regexp. Hands down an excellent error checking tool. Downside: slow. Still worth the time and nowadays its completely negligible.
If you want to use markup, code your own markup that you will allow.
And I cannot stress this enough: database insertion escaping. Never, NEVER put unclean values into a database. You will love it when a user injects your data and dumps your entire site.
Hope that helps!
Powered by vBulletin® Version 4.2.2 Copyright © 2016 vBulletin Solutions, Inc. All rights reserved.