Core Web Blog

Keep up to date with CoreSolutions

  • Web
  • Posted

Sanitizing Your Data

If you do any PHP programming that includes writing data to or reading data from a database, then it’s important to keep an eye on how you are entering data into your database; you don’t know what your users intentions are, and while most of them just want to use your site as intended, some users could have more malicious intentions. You shouldn’t enter data directly as the user enters it, for a couple of reasons.

1) SQL injection attacks

One of the more common types of attack. If the user enters SQL code into a field, that code will be run. The easiest way to guard against this is to use the function ‘mysql_real_escape_string’; this will escape any special characters used in SQLqueries ( for example, single quotes), this will prevent the user from adding in additional SQL statements that will be run (in the example above,it will be treated as one big text string that will be entered into the name column of the database, rather than a separate SQL command.

2) Cross-site scripting attack

A different type of attack, but just as dangerous. This assumes that that the user will be entering information that will be later displayed on a webpage. If the user enters in some HTML code (or other code that will run in a browser, like javascript) into a field, then when you later go to display what the user entered, that code will run. One way to avoid this is to use the function ‘strip_tags’ on the data the user entered, this will strip out any HTML tags entered by the user (like <script> tags around javascript code.

These are just a couple of basic things that you can do to protect your website; there is a lot more information online, starting with PHP’s own website; a quick google search will give you a number of resources to make your site even more secure.

Leave a comment

CoreSolutions Logo

London Office:
1-1615 N Routledge Park
London, ON N6H 5L6

Toronto Office:
2425 Matheson Blvd East
7th Floor
Mississauga, ON L4W 5K4

Toll Free: (800) 650-8882
London: (519) 641-7727
Toronto: (416) 410-8649
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

SUBSCRIBE

Click the 'Subscribe' button to sign up for news & software tips.

Beyond Software

Copyright © 2018 CoreSolutions Software, Inc. All Rights Reserved