Comprehensive server side validation

Question

Comprehensive server side validation

I currently have a pretty reliable server-side validation system, but I'm looking for some feedback to make sure I cover all corners. Here is a brief description of what I'm doing at the moment:

Make sure the input is not empty or too long
Escape query strings to prevent SQL injection
Using regular expressions to reject invalid characters (it depends on what will be sent)
Encoding certain html tags, for example, <script> (all tags are encoded when saved in the database, some of which are decoded when requested to render on the page).

Is there something I am missing? Code samples or regular expressions are welcome.

+3

php regex sql injection validation server-side

conmulligan Sep 28 '08 at 21:56

source share

5 answers

html, "". , , HTML, ( , , "" ..). , , , , htmlentities, , , HTML- ( ) .

+2

Vinko Vrsalovic 28 . '08 21:57

, , .

+1

anonymous 28 . '08 21:58

/ ,
(PHP-, /, php):

PHP?

+1

micahwittman 28 . '08 23:02

Filter Extension . , , , , , .

Also, review prepared statements posted. Escaping data in your SQL queries is a thing of the past.

+1

Bob somers Sep 29 '08 at 7:41

source share

Steve kemp · Accepted Answer · 2008-09-28T22:06:48+0000

You do not need to use the "Escape" query strings to prevent SQL injection - you should use prepared statements instead.

Ideally, your input filtering will occur before any other processing, so you know that it will always be used. Because otherwise, you only need to skip one place to be vulnerable to the problem.

Remember to encode HTML objects in the output - to prevent XSS attacks.

Comprehensive server side validation

More articles: