Hi,
Just wondering how far I need to go. I am sanatizing all input data with db->escape and intval however, do I need to also sanatize all of the output with htmlspecialchars_uni
For instance some of the output will build URL's that may have
misc.php?id=1
Where the 1 has been pulled from the database, and cleansed going into the database so should I be doing
$url = $url."misc.php?id=".htmlspecialchars_uni($result["id"]);
or is that just too extreme?
If you can be 100% sure it hasn't been tampered with, you should be fine.
The ID should never be user editable unless they have access to the database itself, as there is no interface to enter it. If there is no real harm in sanatizing it then I will do it.
I need to go back through the admin interface and add the same sanitizing there as I didn't bother but after watching a few youtube videos and having my own site hacked, it just isn't worth the risk, easier to cleanse the data than clean up the aftermath
(2013-05-28, 12:25 PM)Dannymh Wrote: [ -> ]$url = $url."misc.php?id=".htmlspecialchars_uni($result["id"]);
$url = $url . "misc.php?id=" . (int) $result["id"];
That should be fine imo
If it's an INT field in the DB you can expect to get an INT out of it when querying. Additional sanitization is not required. It's different for strings.
You can use intval for it, does the job very well.
(2013-05-29, 06:11 AM)crazy4cs Wrote: [ -> ]You can use intval for it, does the job very well.
intval is for inserting data into the database AFAIK. Its input vs output. I use intval on all int going into the database and escape all strings going in. I am now going the extra mile of escaping all strings coming out with htmlspecialchard_uni and ensuring all outbound ints are (int)$var just to make sure
(2013-05-29, 06:17 AM)Dannymh Wrote: [ -> ] (2013-05-29, 06:11 AM)crazy4cs Wrote: [ -> ]You can use intval for it, does the job very well.
intval is for inserting data into the database AFAIK. Its input vs output. I use intval on all int going into the database and escape all strings going in. I am now going the extra mile of escaping all strings coming out with htmlspecialchard_uni and ensuring all outbound ints are (int)$var just to make sure
intval()/(int) is for casting a piece of data to an integer. It can be used for either input or output, if you know that the data
should always be an integer.
With regards to Danny's reply:
No, you can use it in output too. For example in many of the plugins that I build, if the page has some id structure like somepage.php?action=details&uid=1, then I use intval function to prevent any SQL injections.
Yep in all situations I know when it should be an integer, if it isn't an integer someone is playing silly buggers with either query strings, form boxes etc.
I just looked at the website I was reading regarding intval and escaping....article published in 2009
All good thanks guys. I am casting it correctly going in, but it wasn't until I was hacked last week that I thought about sanitizing output as well. Including form fields on errors. All good now, I am just being extra anal about this stuff now
And thanks guys