| Obi Perrin |
04-27-2003 07:43 PM |
(PHP) Stopping Malicious Form Input
I've been reading the php manual about the security of php (in my case as an apache module) and some of the examples they give are rather frightening to say the least. So, as well as md5'ing all passwords in the database, using an unprivilged database user and turning off global_vars, I've written this little function which I run all of my input through before they're registered as variables, in the hope that it will detect malicious input:
PHP Code:
function validate($in_type, $user_input)
{
if ($in_type == "string")
{
$user_input = htmlentities($user_input);
return $user_input;
}
else if ($in_type == "int")
{
if (is_numeric($user_input))
{
return $user_input;
}else{
return "Error";
}
}else{
return "Error";
}
}
So, I would use the following to register a variable:
PHP Code:
$lang = validate("string", $_GET['lang']);
Now, I've been using this on my own apache without a problem, so I at least know that it doesn't generate any errors, but I'm wondering if anyone can see any way of still passing evil stuff into my scripts even after they're run through this? Or if they've come across different and perhaps better ways to protect against this kind of thing?
Thanks :-D |
