Skip Navigation LinksHome > Categories > Code from a Category

PHP. Filtering Data



User Name: serfcompany
Name: Serf
Contact Me: www.datawebcoder.com
Home Page: www.datawebcoder.com
php,mysql,javascript,html,css. Preferable working with Zend Framework. Good know javascript. I worked with various, javascript frameworks such as(jquery, YUI3, extjs, sencha touch). [More]
Viewed Times: 1283
Add Date: 02/24/2012
The most important item on the web site security is to check all incoming requests to the database, so you should always check the data entered by the user in the search form, filling in the registration and so on for the presence of "dangerous" information.

This may be a malicious JavaScript code, PHP or PERL commands, as well as the most dangerous - is the command to the server.

Talking about the possibilities of an experienced hacker, who got no box checked on the website is just silly - it can all! Starting from installation to full redirect Gon or put out of Servetus.


Always remember that absolutely anyone - it is dangerous for an unprotected site, so it's always worth checking queries and variables from the user.


Milestones:

1) Analysis of variables, arrays, rather POST and GET;
2) Separation of variables;
3) Filtration of string variables


Stage 1. Analysis of variables


Check the input variables at the beginning of the script, do not allow to work with functions and queries to the database has not yet proven, potentially dangerous data from users.
Thus, all necessary for the protection features will be in one particular place, or even a file.


Example: $ a1 = @ $ _GET ["nomer"]; @ symbol is used to "ignore" interpreter error in the absence of a variable in an array nomer GET.


Stage 2. separation of variables


Absolutely every variable in the script at the design stage should already have their own type, whether it is a number or string.
It is best to check the variables for the required her to type, for example:


Our variable type integer, then to filter the data to bring ample variable $ a1 to an integral type:



For example an attacker entered in the query string? Nomer = 43X34 by treating the variable $ a1 takes the value 43.


Do not forget about the ranges of values.
To do this, you should check on the variable range.
Let $ a1 is at the limit of 1 to 100, then the test will be as follows:



As you can see what's going to force the installation of the variable $ a1 to 1 in case of violation.


Stage 3. Filtration of string variables


Particularly dangerous text variables, such as a field for entering a search phrase on the site.
They just need to check for malicious code.
To reduce the risk of certain elements are removed from the text or change into other characters.


Html tags are usually removed, php insert and to modify the design of queries to the database MySQL.


Post a Comment

Name: (Optional)
Email: (Optional, you can get an email if somebody replys your comments)*
Email me if somebody respons my comment below:
Details**:
Enter Text
as Below:
(case insensitive, if hard to read, click the "get a new one" button)
 
    
* Your email address will not be shared with any third parties for any reason.
** Maximum 1000 charactors.