Jump to content

Order of input cleansing?


pizzaguy

Recommended Posts

I'm trying to create my first real log in system and I want it to be as secure as I can possibly make it. Right now, I have a function I'm using to clean form input for things like a user's email address, password, username, etc. when he or she is registering. Here is a snippet:

 /* $value is the variable taken from   $_POST after the user has submitted the form */$value = @urldecode($value);$value = @strip_tags($value);	$value = @stripslashes($value);$value = @substr($value,$maxLenth);

Right now, my main question is whether I should leave the substr function at the bottom, or move it to the top and use it as the first action. Since I don't know much about overflows and errors like that, I wasn't sure whether it'd be best to make sure the input was shortened first, or whether I should clean everything else out of the string and then trim any excess last? Also, given what I already have here, would I still want to call mysql_real_escape_string before entering the final $value into my database? Finally, is there any other recommended actions that I should include in order to make sure any input is acceptably clean?

Link to comment
Share on other sites

Generally the length check goes last. If you did that first you might end up making it shorter than necessary because of the other things.

Also, given what I already have here, would I still want to call mysql_real_escape_string before entering the final $value into my database?
Nothing you show there is a replacement for mysql_real_escape_string. None of those are even really necessary, mysql_real_escape_string is the only thing you need in terms of protecting against SQL attacks on strings.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...