View Full Version : Resolved sanitize file_get_contents

09-07-2011, 10:05 PM
on a internal system, it would be a company inhouse tool so not for the public masses but def an inhouse only tool for management so will only be used by those that have an interest in protecting their own data, they wont sabotage their own stuff im sure lol..

is there any reason to sanitize file_get_contents, and if so how to do it? Cant use real escape as it totally distorts the file view. It will also be viewed to the screen as well as stored.

mostly php and html files and some text docs

I read the docs on file_get_contents and didnt see anywhere they sanitized it, so im going to play around with this a bit and check the view results but i wanted to see what you all thought here as well.

09-08-2011, 04:10 AM
Best to make your code secure even if this is for an in-house tool.

Can you clarify what you would sanitize? The file path? The output?

09-08-2011, 03:08 PM
hi thanks, it is the actual file content, it is a file revision tool and so the actual contents of the php file will be displayed on the screen as well as saved in the db under revision keys, and also able to use a diff tool on it.

And that is the issue, with it being the actual file being displayed it really gets funky using the escape, (or specialchars or strip_tags which i didnt plan on using, just testing the output) . I even tried addslashes because of my global settings and its still funky lol

without any sanitation at all its perfect, right from the db to to the screen. But it would be nice to sanitize it somehow, its just prob not gonna happen ya know.

09-08-2011, 03:38 PM
You only really need to sanitize it for insertion into the DB not for displaying on screen.

09-08-2011, 03:58 PM
thanks tango and good morning to you. I guess im always worried about some file data getting corrupted somehow and then executing some javascript or something when it executes the display file. And thats why i was saying this is a in house tool and i guess i really could spend my life chasing my own tail ya know. Sometimes i guess you have to put the monkey on their back and just assume they wont corrupted their own data lol

Thanks for the input tango, i hope you have a great day bud. :thumbsup:

09-08-2011, 04:13 PM
Javascript is a different scenario and for that you may indeed want to strip it out (You could use regular expressions OR search for <script and </script> and delete everything from start to end).

Morning :thumbsup:

09-09-2011, 07:10 PM
If you are displaying the text on a web browser then simply use htmlspecialchars(), there will be no possibility that any Javascript within the text will execute.