Comments on: How to filter user submitted data easily in PHP? http://roshanbh.com.np/2008/08/how-to-filter-user-submitted-data-easily-in-php.html Useful Tutorials, Scripts , Tips, and Resources for all PHP and Ajax beginners and experts . Mon, 07 May 2012 21:11:05 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Jacob Poore http://roshanbh.com.np/2008/08/how-to-filter-user-submitted-data-easily-in-php.html/comment-page-1#comment-5211 Jacob Poore Sun, 28 Feb 2010 17:15:42 +0000 http://roshanbh.com.np/?p=217#comment-5211 learn something new everyday. very cool learn something new everyday. very cool

]]> By: sell music beats http://roshanbh.com.np/2008/08/how-to-filter-user-submitted-data-easily-in-php.html/comment-page-1#comment-4912 sell music beats Wed, 16 Dec 2009 00:35:38 +0000 http://roshanbh.com.np/?p=217#comment-4912 This is good to know, i'm always scared of people using certain characters in textfields to hack into my database, will be sure to filter everything carefully. This is good to know, i’m always scared of people using certain characters in textfields to hack into my database, will be sure to filter everything carefully.

]]> By: mello http://roshanbh.com.np/2008/08/how-to-filter-user-submitted-data-easily-in-php.html/comment-page-1#comment-4676 mello Sat, 10 Oct 2009 16:15:47 +0000 http://roshanbh.com.np/?p=217#comment-4676 I have a php site http://www.phloentertainment.com i might try this cool I have a php site http://www.phloentertainment.com i might try this cool

]]> By: beats http://roshanbh.com.np/2008/08/how-to-filter-user-submitted-data-easily-in-php.html/comment-page-1#comment-3532 beats Sat, 07 Feb 2009 03:10:53 +0000 http://roshanbh.com.np/?p=217#comment-3532 Learned something new with that array_map() function. I googled it and found other great examples. Thanks for the post, just what I was looking for. Learned something new with that array_map() function. I googled it and found other great examples. Thanks for the post, just what I was looking for.

]]> By: [??] Aug 23th 2008 - My Habari http://roshanbh.com.np/2008/08/how-to-filter-user-submitted-data-easily-in-php.html/comment-page-1#comment-3508 [??] Aug 23th 2008 - My Habari Thu, 29 Jan 2009 04:29:33 +0000 http://roshanbh.com.np/?p=217#comment-3508 [...] need for set/get methods in PythonjQuery JSON with PHP json_encode and json_decodeHow to filter user submitted data easily in PHP?twittex.com Launches!???? twittex.com ??? 6 ?????, ??? symfony, PHP, [...] [...] need for set/get methods in PythonjQuery JSON with PHP json_encode and json_decodeHow to filter user submitted data easily in PHP?twittex.com Launches!???? twittex.com ??? 6 ?????, ??? symfony, PHP, [...]

]]> By: jay http://roshanbh.com.np/2008/08/how-to-filter-user-submitted-data-easily-in-php.html/comment-page-1#comment-3245 jay Tue, 02 Dec 2008 05:15:13 +0000 http://roshanbh.com.np/?p=217#comment-3245 In your example you have written a general function so that when a variable is required to be validated. you just call that function. function filter_data($val) { return htmlentities($val,ENT_QUOTES); } What if you want to replace that htmlentities with filter_input ( ) can the input type parameter for this be POST? In your example you have written a general function so that when a variable is required to be validated. you just call that function.

function filter_data($val)
{
return htmlentities($val,ENT_QUOTES);
}

What if you want to replace that htmlentities with filter_input ( ) can the input type parameter for this be POST?

]]> By: [??] Aug 23th 2008 « Oceanic | ???? http://roshanbh.com.np/2008/08/how-to-filter-user-submitted-data-easily-in-php.html/comment-page-1#comment-1987 [??] Aug 23th 2008 « Oceanic | ???? Sat, 23 Aug 2008 09:42:26 +0000 http://roshanbh.com.np/?p=217#comment-1987 [...] How to filter user submitted data easily in PHP? [...] [...] How to filter user submitted data easily in PHP? [...]

]]> By: How to filter user submitted data easily in PHP? | coderchris.com http://roshanbh.com.np/2008/08/how-to-filter-user-submitted-data-easily-in-php.html/comment-page-1#comment-1932 How to filter user submitted data easily in PHP? | coderchris.com Mon, 18 Aug 2008 06:29:21 +0000 http://roshanbh.com.np/?p=217#comment-1932 [...] How to filter user submitted data easily in PHP? [...] [...] How to filter user submitted data easily in PHP? [...]

]]> By: Roshan http://roshanbh.com.np/2008/08/how-to-filter-user-submitted-data-easily-in-php.html/comment-page-1#comment-1918 Roshan Sun, 17 Aug 2008 05:16:29 +0000 http://roshanbh.com.np/?p=217#comment-1918 @john - Thanks for your explanation @Pierre - I can see still in some of of the web hosting company are using PHP4 and PHP 5.1.x , I'm just worried for them only otherwise I'm not against PHP's filter extension, I also recomment this if you're using PHP 5>5.2.0. @john – Thanks for your explanation
@Pierre – I can see still in some of of the web hosting company are using PHP4 and PHP 5.1.x , I’m just worried for them only otherwise I’m not against PHP’s filter extension, I also recomment this if you’re using PHP 5>5.2.0.

]]> By: Pierre http://roshanbh.com.np/2008/08/how-to-filter-user-submitted-data-easily-in-php.html/comment-page-1#comment-1915 Pierre Sat, 16 Aug 2008 21:59:57 +0000 http://roshanbh.com.np/?p=217#comment-1915 PHP4 is dead, php 5.1.x has critical security issues, what is the reason to do not use php 5.2.x? PHP4 is dead, php 5.1.x has critical security issues, what is the reason to do not use php 5.2.x?

]]> By: John J. http://roshanbh.com.np/2008/08/how-to-filter-user-submitted-data-easily-in-php.html/comment-page-1#comment-1904 John J. Fri, 15 Aug 2008 21:05:57 +0000 http://roshanbh.com.np/?p=217#comment-1904 I couldn't echo Mojah's comment more strongly. The best practice when it comes to user input is to validate input (make sure it is the type/size you expect) and filter/encode/etc. output. You do the later ONLY when it is being output because you never know what the data will be used for between when it is input and when the script ends. As for the filter extension, I recommend this as well. It is available as a pecl extension for those of you still stuck on PHP 5 < 5.2 (if you are using PHP 4.x, WHY?!). You can use it to force a base level of security on all inputs and to get any user data you need to use the filter_input function. I couldn’t echo Mojah’s comment more strongly. The best practice when it comes to user input is to validate input (make sure it is the type/size you expect) and filter/encode/etc. output. You do the later ONLY when it is being output because you never know what the data will be used for between when it is input and when the script ends.

As for the filter extension, I recommend this as well. It is available as a pecl extension for those of you still stuck on PHP 5 < 5.2 (if you are using PHP 4.x, WHY?!). You can use it to force a base level of security on all inputs and to get any user data you need to use the filter_input function.

]]> By: Roshan http://roshanbh.com.np/2008/08/how-to-filter-user-submitted-data-easily-in-php.html/comment-page-1#comment-1896 Roshan Fri, 15 Aug 2008 16:50:43 +0000 http://roshanbh.com.np/?p=217#comment-1896 @gerard - Thanks for the link of inspekt it seems to be a nice tool..will check it later in free time @Pierre - Thanks but you must have PHP greater than 5.2.0 and not useful for people who are using lower version of PHP. @gerard – Thanks for the link of inspekt it seems to be a nice tool..will check it later in free time
@Pierre – Thanks but you must have PHP greater than 5.2.0 and not useful for people who are using lower version of PHP.

]]> By: Pierre http://roshanbh.com.np/2008/08/how-to-filter-user-submitted-data-easily-in-php.html/comment-page-1#comment-1895 Pierre Fri, 15 Aug 2008 15:43:23 +0000 http://roshanbh.com.np/?p=217#comment-1895 Ever heard of http://www.php.net/filter ? Ever heard of http://www.php.net/filter ?

]]> By: gerard http://roshanbh.com.np/2008/08/how-to-filter-user-submitted-data-easily-in-php.html/comment-page-1#comment-1894 gerard Fri, 15 Aug 2008 15:40:50 +0000 http://roshanbh.com.np/?p=217#comment-1894 Have you checked out Inspekt (http://inspekt.org)? It wraps a "cage" around your input data and can make input filtering transparently easy. Have you checked out Inspekt (http://inspekt.org)? It wraps a “cage” around your input data and can make input filtering transparently easy.

]]> By: Ian http://roshanbh.com.np/2008/08/how-to-filter-user-submitted-data-easily-in-php.html/comment-page-1#comment-1879 Ian Thu, 14 Aug 2008 18:01:18 +0000 http://roshanbh.com.np/?p=217#comment-1879 @Roshan Noooo! Don't encourage people to use extract() on $_POST or any other user input superglobal for that matter! That's precisely the problem with register_globals. If you extract() all of the variables in an input array, you open up the very real possibility that an internal variable that you didn't intend for users to interact with can now be initialized with anything the user wants. They could for example, post a variable called content and fill it with javascript. If you happen to use a variable $called content in your code and don't initialize it with an empty string before concatenating to it, that javascript may be passed back out to the page when you echo $content. @Roshan

Noooo! Don’t encourage people to use extract() on $_POST or any other user input superglobal for that matter! That’s precisely the problem with register_globals.

If you extract() all of the variables in an input array, you open up the very real possibility that an internal variable that you didn’t intend for users to interact with can now be initialized with anything the user wants.

They could for example, post a variable called content and fill it with javascript. If you happen to use a variable $called content in your code and don’t initialize it with an empty string before concatenating to it, that javascript may be passed back out to the page when you echo $content.

]]>