html - php 5.5 text area input filtering & output escaping -


from researching best way sanitize html form data, have found should "filter input" , "escape output."

unfortunately of info on subject out there old information (php 4.x, 2009, etc.). many web pages recommend mysql_real_escape_string deprecated of php 5.5.0.

i on php 5.5.x, apache web server, , mysql database. using pdo prepared statements. character sets utf-8.

i have looked @ php sanitize filters (found here: http://www.php.net/manual/en/filter.filters.sanitize.php).

i have filtered inputs , escaped outputs except textareas. text areas user "describe event." these large @ 500 characters. 1 spot feel vulnerable malicious code.

the first thing input trim() function.

what best filters run on input?

how should escaping output?

i want output readable.

thank in advance.

the answer depends input kind want filter. let's assume want simple plain text in textarea, need avoid javascript, css , html code need prevent sql injection in input , 500 characters of length.

  1. use strip_tags avoid html, css , js tags.
  2. use str_replace("'","\'", $string) prevent sql injection parsing single quote.
  3. use substr cut string in 500 characteres if more limit.

i recommend visit : https://www.owasp.org/index.php/top_10_2013-top_10

also recommend use php framework avoid tradicional way in work common security risks.

in opinion can use zend, code igniter or laravel.

  1. http://ellislab.com/codeigniter/user-guide/libraries/input.html
  2. http://framework.zend.com/manual/2.0/en/modules/zend.filter.html
  3. http://laravel.com/docs/validation

Comments

Post a Comment

Popular posts from this blog

php - SPIP: From Tag directly to an article -

i work spip , plugin called tagsphere works fine tags in spip. have tag groupe put 1 article tag. when click on tag in tagsphere send me before menu can see articles linked tag. want send me directly article without see tag menu before. here code model of thagsphere: <div id="tagsphere-#env{id_article}"> <ul> <boucle_mot(mots){id_groupe ?}> <li>[<a href="#url_mot">(#titre)</a>]</li> </boucle_mot> </ul> </div> anybody idea? if want skip tag page, have link directly article. <b_article> block prevents display tag if no article linked. <div id="tagsphere-#env{id_article}"> <ul> <boucle_mot(mots){id_groupe ?}> <b_article> <li> <a<boucle_article(articles){...
Read more

jquery - isAjaxRequest always return false -

i got error message 404,'model has not been saved' following code my action controller public function actionextend($id) { $model=$this->loadmodel($id); if(yii::app()->request->isajaxrequest) { $model->todate = date('y-m-d h:i:s a',(strtotime('next month',strtotime(date('y-01-d'))))); if($model->save()) { yii::app()->end(); } else { throw new chttpexception(404,'model has not been saved'); } } } the jquery call $("#buttonextend<?php echo $this->post_row;?>").click(function(e){ $.ajax({ type: "post", url: "<?php echo yii::app()->createurl('post/extend', array('id' => $data['id'])); ?>", }); }); why not ajax call ? thank help i found response, missed } , function ...
Read more

ruby on rails - In a controller spec, how to find a specific tag in the generated view? -

i know integration tests preferred need ran in controller test, i'm testing gem injecting html code in view, xhr can't run in feature spec (if can, please explain me how :) ) so rspec controller tests can assert selector present (with capybara) : response.body.should have_selector('#foobar') has_selector? call all method capybara find selector. what want last child of body , assert id in particular. afaik it's not possible have_selector. what : all('body:first-child').first.id.should == '#foobar' however, capybara dsl, defined (more or less): def all(*args) page.all(*args) end and page empty unless use visit it's integrations specs. how can use capybara all method inside rspec controller test ? i can't test right after googling seems trick def page capybara::node::simple.new(response.body) end source
Read more