How do you sanitize your data?

Question

How do you sanitize your data?

This is the function that I am currently using (from the php book I bought):

function escape($data) {
    return mysql_real_escape_string(trim($data), $this->linkid);    
}

But I feel it could be safer. for example, you can use htmlspecialchars. It always makes me paranoid. I read that mysql_real_escape_string is bad and never use it, but then I also read it in the best way. There is a lot of confusion regarding data deactivation when inserting them into the database.

So how do you do this? and what are the pros and cons of how you do it.

+3

php

sqram Jul 9 '09 at 20:58

source share

8 answers

WHY :

, . xml, "" "", SQL, "" "", , "" ""

. , , , DATA SYNTAX, , .

- : 1. HTML 2. HTML 3. HTML HTML 4. Javascript 5. SQL 6.

. ! PHP:

HTML: htmlspecialchars (...)
HTML htmlspecialchars (..., ENT_QUOTES)
HTML HTML , HTMLPurifier, , .
Javascript json_encode. , # 2,
SQL escape(). . latin1, addlashes (...). mysql_real_escape_string() . addlashes():
"INSERT INTO table1 SET field1 = '". addlashes ($ data). "'"
escapeshellarg() escapeshellcmd() -

- , 95% * ! (* )

+4

gahooa 09 . '09 21:29

. , .

? is_numeric ( )
, HTML? htmlentities
.

mysql_real_escape_string - . , , DB PDO - .

, PDO mysql $pdo->quote Zend_Db, , .

+1

Jani Hartikainen 09 . '09 21:04

" " ( , , ), : , , .

- , , - , . , ( , ), , .

.

+1

markh 09 . '09 21:27

SOAP? Har har.

( : , )

0

patros 09 . '09 21:07

Sanitaze , , :

SQL
HTML ( , CSV, XML, ATOM ..).

, , - . . , , , . ( , mysql_real_escape_string() - , PDO, ) :

htmlspecialchars(), HTML
escape_shell_arg() escape_shell_cmd(),
..

0

Maciej Łebkowski 09 . '09 21:11

, filter_var()
In cases where only very specific formats or values are allowed, it may be better to use regular expressions or in_array () of valid values.
Remember that “input” means any input source that you do not directly control.
If the input goes to the query, use prepared statements (e.g. mysqli)

0

Partialorder Jul 9 '09 at 21:33

source share

After making sure that the data was valid and / or well-formed (see the comment by Jani Hartikainen), you really only need to call the built-in addlashes (). PHP

-2

Chris tonkinson Jul 9 '09 at 21:15

source share

ceejayoz · Accepted Answer · 2009-07-09T21:06:09+0000

You are talking about two different types of shielding.

mysql_real_escape_string() retrieves data, so it's safe to send it to MySQL.

htmlspecialchars() retrieves data, so it's safe to send what HTML displays.

, mysqli .

How do you sanitize your data?

More articles: