View Full Version : The safest way to block harmful code in strings.

01-16-2008, 01:59 AM
Hi all. Im making a profile code. My code, is very much vulnerable for someone to enter harmful code into the textarea which then is inserted in a mysql database. Most of the code I want to block is all php and most javascript, and anything else harmful. There's still a lot of coding lanuages out there and I don't know all the hacks that can be done with those. Can someone come up with the best code to block most harmful code using htmlspecialvars(), strip_tags(), and htmlentities?

01-16-2008, 04:30 AM
That depends. What will the input be? A zip code? A name? Phone number? Email address? Telephone number? Date? Time? Letter? Number? Paragraph?

Read this full topic, not just the first two or three quick and dirty solutions... it may help:

01-17-2008, 03:09 AM

A profile code. Just simple coding and stuff about the user.

01-17-2008, 03:15 AM
He means each field. You need to ensure error checking is present on ANY input given by the user (I didn't read the link at all, but I can guess).
Safest way?
1. Control your own addslashes / escaping. Disable magic_quotes_gpc runtime
2. Datatype checks. Want a number? Typecast the given input into an (int) and check to see if the new value is == the original (not === as that will check datatypes as well).
3. Regexp. Hands down an excellent error checking tool. Downside: slow. Still worth the time and nowadays its completely negligible.
4. Remove ability for ANY code. Javascript, php, asp, html, anything that is parsable. If your lazy (like me :)) just change the values into their html entities to remove the parsing capabilities.
If you want to use markup, code your own markup that you will allow.

And I cannot stress this enough: database insertion escaping. Never, NEVER put unclean values into a database. You will love it when a user injects your data and dumps your entire site.
Hope that helps!