Archive - Originally posted on "The Horse's Mouth" - 2006-02-03 06:16:16 - Graham Ellis
If you write a script in PHP, it's one thing handing benign user inputs, and quite another "bullet proofing" your script against awkward characters (of the "less than" and "double quote" type) entered into form fields where they can lead to problems of the SQL error, echo display corruption and injection attack style.
I use the following diagram on PHP courses to remind trainees of the need to clean us EVERY user entry variable and to process EVERY string that's send out to a database or as part of the HTML response:
Remember that PHP was designed to handle web page work, so this string cleansing can be done with built in functions - there's a function to do that as we say during courses!
Just be aware ... that there are other issues as well as the ones shown in our diagram. If you're looking to write cast iron (squaddie proof) PHP, you'll need to use regular expressions to check that the inputs made of are of the format your program expects, you'll have to ensure that register globals is off or that every variable is initialised, and you'll need to check that users don't enter file names starting with "/" or "../".
