Sanitizing Data

Started by RustyBarnacle, January 30, 2009, 01:35:05 PM

Previous topic - Next topic

RustyBarnacle

I was wondering if there was a tutorial somewhere on this.

I'd never heard of it until I asked about how much security is looked into when someone submits a mod.  My mod has a lot of forms in it and while I don't think I'd open a security risk, I'm not sure.  I say that because the users only get to fill in check boxes and its the admins that have the textareas and such.  So if only the admin has a textarea, I'm hoping I wouldn't open a hole.

If someone could point me in the right direction that would be great.

karlbenson

Anything submitted by users should be checked / stripped / made safe

any checkboxes should be made sure that they are 1 or 0
any ints casted as integers
eg $var = (int) $var
and checked that between your valid ranges eg can it be negative, can it be 99999999999

any text fields, between valid lengths, html and javascript and other bad code removed
chars converted to html safe versions eg < to &lt; with htmlentities();

IF on 1.1.x, you need to escape chars that could result in sql injection (like single, double quotes)
IF on 2.x, the new query functions will do the escaping.

RustyBarnacle

Thanks!

So much for being almost done, apparently I need to secure it now.  :)

Advertisement: