ProgrammingThis forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi. Besides the formatting requirements of the php application, if I'm using prepared statements correctly do I need to sanitize user input in any other ways? If so, what's the numblest way?
If you use prepared-statements (i.e. "placeholders"), you will prevent SQL-injection, because the user-supplied content is never understood to be part of the SQL statement that is to be executed.
You should also "de-fang" the inputs to ensure that users do not attempt to store information which, when replayed to a recipient's browser, would be interpreted as a malicious script. Likewise, when the contents of the database are presented by your program to a recipient's browser, any HTML-like content should be transformed (as described above) into HTML entities. For example, a string "<script>" would become a harmless "<script>" which will cause that literal string to appear in the output without any possibility of it being executed.
(To see exactly what I am talking about ... look at the "view page source" of this very page, to see what the LinuxQuestions forum-software did with the text of this post! The string that I used as my example ... has been transmogrified in precisely the way that I described. Thus, it is impossible for your browser to "execute" my post. You'll also see how the ampersands were also encoded as HTML-entities. You might have to "reload" the page to see the source-code of this posting.)
Last edited by sundialsvcs; 09-27-2013 at 02:45 PM.
Wait. This is confusing. If the data is stored in a database or xml with htmlspecialchar conversions and then output again with htmlspecialchar conversions you don't get your intended user output. But if you omit the conversion in your output you risk maliscious attacks against your guests.
Okay, I think I get it. Always use htmlspecialchars for input. Sundial was just saying if you do happen to allow literal html strings in storage always convert them for output. Correct?
Always use htmlspecialchars for output. Sundial was just saying if you do happen to allow literal html strings in storage always use htmlspecialchars to convert them for output. Correct?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
